xref: /freebsd/crypto/openssl/ssl/t1_lib.c (revision 8ef24a0d4b28fe230e20637f56869cc4148cd2ca)
1 /* ssl/t1_lib.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include <openssl/objects.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #ifndef OPENSSL_NO_EC
117 #ifdef OPENSSL_NO_EC2M
118 # include <openssl/ec.h>
119 #endif
120 #endif
121 #include <openssl/ocsp.h>
122 #include <openssl/rand.h>
123 #include "ssl_locl.h"
124 
125 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;
126 
127 #ifndef OPENSSL_NO_TLSEXT
128 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
129                               const unsigned char *sess_id, int sesslen,
130                               SSL_SESSION **psess);
131 static int ssl_check_clienthello_tlsext_early(SSL *s);
132 int ssl_check_serverhello_tlsext(SSL *s);
133 #endif
134 
135 SSL3_ENC_METHOD TLSv1_enc_data = {
136     tls1_enc,
137     tls1_mac,
138     tls1_setup_key_block,
139     tls1_generate_master_secret,
140     tls1_change_cipher_state,
141     tls1_final_finish_mac,
142     TLS1_FINISH_MAC_LENGTH,
143     tls1_cert_verify_mac,
144     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
145     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
146     tls1_alert_code,
147     tls1_export_keying_material,
148     0,
149     SSL3_HM_HEADER_LENGTH,
150     ssl3_set_handshake_header,
151     ssl3_handshake_write
152 };
153 
154 SSL3_ENC_METHOD TLSv1_1_enc_data = {
155     tls1_enc,
156     tls1_mac,
157     tls1_setup_key_block,
158     tls1_generate_master_secret,
159     tls1_change_cipher_state,
160     tls1_final_finish_mac,
161     TLS1_FINISH_MAC_LENGTH,
162     tls1_cert_verify_mac,
163     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
164     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
165     tls1_alert_code,
166     tls1_export_keying_material,
167     SSL_ENC_FLAG_EXPLICIT_IV,
168     SSL3_HM_HEADER_LENGTH,
169     ssl3_set_handshake_header,
170     ssl3_handshake_write
171 };
172 
173 SSL3_ENC_METHOD TLSv1_2_enc_data = {
174     tls1_enc,
175     tls1_mac,
176     tls1_setup_key_block,
177     tls1_generate_master_secret,
178     tls1_change_cipher_state,
179     tls1_final_finish_mac,
180     TLS1_FINISH_MAC_LENGTH,
181     tls1_cert_verify_mac,
182     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
183     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
184     tls1_alert_code,
185     tls1_export_keying_material,
186     SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS | SSL_ENC_FLAG_SHA256_PRF
187         | SSL_ENC_FLAG_TLS1_2_CIPHERS,
188     SSL3_HM_HEADER_LENGTH,
189     ssl3_set_handshake_header,
190     ssl3_handshake_write
191 };
192 
193 long tls1_default_timeout(void)
194 {
195     /*
196      * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
197      * http, the cache would over fill
198      */
199     return (60 * 60 * 2);
200 }
201 
202 int tls1_new(SSL *s)
203 {
204     if (!ssl3_new(s))
205         return (0);
206     s->method->ssl_clear(s);
207     return (1);
208 }
209 
210 void tls1_free(SSL *s)
211 {
212 #ifndef OPENSSL_NO_TLSEXT
213     if (s->tlsext_session_ticket) {
214         OPENSSL_free(s->tlsext_session_ticket);
215     }
216 #endif                          /* OPENSSL_NO_TLSEXT */
217     ssl3_free(s);
218 }
219 
220 void tls1_clear(SSL *s)
221 {
222     ssl3_clear(s);
223     s->version = s->method->version;
224 }
225 
226 #ifndef OPENSSL_NO_EC
227 
228 static int nid_list[] = {
229     NID_sect163k1,              /* sect163k1 (1) */
230     NID_sect163r1,              /* sect163r1 (2) */
231     NID_sect163r2,              /* sect163r2 (3) */
232     NID_sect193r1,              /* sect193r1 (4) */
233     NID_sect193r2,              /* sect193r2 (5) */
234     NID_sect233k1,              /* sect233k1 (6) */
235     NID_sect233r1,              /* sect233r1 (7) */
236     NID_sect239k1,              /* sect239k1 (8) */
237     NID_sect283k1,              /* sect283k1 (9) */
238     NID_sect283r1,              /* sect283r1 (10) */
239     NID_sect409k1,              /* sect409k1 (11) */
240     NID_sect409r1,              /* sect409r1 (12) */
241     NID_sect571k1,              /* sect571k1 (13) */
242     NID_sect571r1,              /* sect571r1 (14) */
243     NID_secp160k1,              /* secp160k1 (15) */
244     NID_secp160r1,              /* secp160r1 (16) */
245     NID_secp160r2,              /* secp160r2 (17) */
246     NID_secp192k1,              /* secp192k1 (18) */
247     NID_X9_62_prime192v1,       /* secp192r1 (19) */
248     NID_secp224k1,              /* secp224k1 (20) */
249     NID_secp224r1,              /* secp224r1 (21) */
250     NID_secp256k1,              /* secp256k1 (22) */
251     NID_X9_62_prime256v1,       /* secp256r1 (23) */
252     NID_secp384r1,              /* secp384r1 (24) */
253     NID_secp521r1,              /* secp521r1 (25) */
254     NID_brainpoolP256r1,        /* brainpoolP256r1 (26) */
255     NID_brainpoolP384r1,        /* brainpoolP384r1 (27) */
256     NID_brainpoolP512r1         /* brainpool512r1 (28) */
257 };
258 
259 static const unsigned char ecformats_default[] = {
260     TLSEXT_ECPOINTFORMAT_uncompressed,
261     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime,
262     TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2
263 };
264 
265 /* The client's default curves / the server's 'auto' curves. */
266 static const unsigned char eccurves_auto[] = {
267     /* Prefer P-256 which has the fastest and most secure implementations. */
268     0, 23,                      /* secp256r1 (23) */
269     /* Other >= 256-bit prime curves. */
270     0, 25,                      /* secp521r1 (25) */
271     0, 28,                      /* brainpool512r1 (28) */
272     0, 27,                      /* brainpoolP384r1 (27) */
273     0, 24,                      /* secp384r1 (24) */
274     0, 26,                      /* brainpoolP256r1 (26) */
275     0, 22,                      /* secp256k1 (22) */
276 # ifndef OPENSSL_NO_EC2M
277     /* >= 256-bit binary curves. */
278     0, 14,                      /* sect571r1 (14) */
279     0, 13,                      /* sect571k1 (13) */
280     0, 11,                      /* sect409k1 (11) */
281     0, 12,                      /* sect409r1 (12) */
282     0, 9,                       /* sect283k1 (9) */
283     0, 10,                      /* sect283r1 (10) */
284 # endif
285 };
286 
287 static const unsigned char eccurves_all[] = {
288     /* Prefer P-256 which has the fastest and most secure implementations. */
289     0, 23,                      /* secp256r1 (23) */
290     /* Other >= 256-bit prime curves. */
291     0, 25,                      /* secp521r1 (25) */
292     0, 28,                      /* brainpool512r1 (28) */
293     0, 27,                      /* brainpoolP384r1 (27) */
294     0, 24,                      /* secp384r1 (24) */
295     0, 26,                      /* brainpoolP256r1 (26) */
296     0, 22,                      /* secp256k1 (22) */
297 # ifndef OPENSSL_NO_EC2M
298     /* >= 256-bit binary curves. */
299     0, 14,                      /* sect571r1 (14) */
300     0, 13,                      /* sect571k1 (13) */
301     0, 11,                      /* sect409k1 (11) */
302     0, 12,                      /* sect409r1 (12) */
303     0, 9,                       /* sect283k1 (9) */
304     0, 10,                      /* sect283r1 (10) */
305 # endif
306     /*
307      * Remaining curves disabled by default but still permitted if set
308      * via an explicit callback or parameters.
309      */
310     0, 20,                      /* secp224k1 (20) */
311     0, 21,                      /* secp224r1 (21) */
312     0, 18,                      /* secp192k1 (18) */
313     0, 19,                      /* secp192r1 (19) */
314     0, 15,                      /* secp160k1 (15) */
315     0, 16,                      /* secp160r1 (16) */
316     0, 17,                      /* secp160r2 (17) */
317 # ifndef OPENSSL_NO_EC2M
318     0, 8,                       /* sect239k1 (8) */
319     0, 6,                       /* sect233k1 (6) */
320     0, 7,                       /* sect233r1 (7) */
321     0, 4,                       /* sect193r1 (4) */
322     0, 5,                       /* sect193r2 (5) */
323     0, 1,                       /* sect163k1 (1) */
324     0, 2,                       /* sect163r1 (2) */
325     0, 3,                       /* sect163r2 (3) */
326 # endif
327 };
328 
329 static const unsigned char suiteb_curves[] = {
330     0, TLSEXT_curve_P_256,
331     0, TLSEXT_curve_P_384
332 };
333 
334 # ifdef OPENSSL_FIPS
335 /* Brainpool not allowed in FIPS mode */
336 static const unsigned char fips_curves_default[] = {
337 #  ifndef OPENSSL_NO_EC2M
338     0, 14,                      /* sect571r1 (14) */
339     0, 13,                      /* sect571k1 (13) */
340 #  endif
341     0, 25,                      /* secp521r1 (25) */
342 #  ifndef OPENSSL_NO_EC2M
343     0, 11,                      /* sect409k1 (11) */
344     0, 12,                      /* sect409r1 (12) */
345 #  endif
346     0, 24,                      /* secp384r1 (24) */
347 #  ifndef OPENSSL_NO_EC2M
348     0, 9,                       /* sect283k1 (9) */
349     0, 10,                      /* sect283r1 (10) */
350 #  endif
351     0, 22,                      /* secp256k1 (22) */
352     0, 23,                      /* secp256r1 (23) */
353 #  ifndef OPENSSL_NO_EC2M
354     0, 8,                       /* sect239k1 (8) */
355     0, 6,                       /* sect233k1 (6) */
356     0, 7,                       /* sect233r1 (7) */
357 #  endif
358     0, 20,                      /* secp224k1 (20) */
359     0, 21,                      /* secp224r1 (21) */
360 #  ifndef OPENSSL_NO_EC2M
361     0, 4,                       /* sect193r1 (4) */
362     0, 5,                       /* sect193r2 (5) */
363 #  endif
364     0, 18,                      /* secp192k1 (18) */
365     0, 19,                      /* secp192r1 (19) */
366 #  ifndef OPENSSL_NO_EC2M
367     0, 1,                       /* sect163k1 (1) */
368     0, 2,                       /* sect163r1 (2) */
369     0, 3,                       /* sect163r2 (3) */
370 #  endif
371     0, 15,                      /* secp160k1 (15) */
372     0, 16,                      /* secp160r1 (16) */
373     0, 17,                      /* secp160r2 (17) */
374 };
375 # endif
376 
377 int tls1_ec_curve_id2nid(int curve_id)
378 {
379     /* ECC curves from RFC 4492 and RFC 7027 */
380     if ((curve_id < 1) || ((unsigned int)curve_id >
381                            sizeof(nid_list) / sizeof(nid_list[0])))
382         return 0;
383     return nid_list[curve_id - 1];
384 }
385 
386 int tls1_ec_nid2curve_id(int nid)
387 {
388     /* ECC curves from RFC 4492 and RFC 7027 */
389     switch (nid) {
390     case NID_sect163k1:        /* sect163k1 (1) */
391         return 1;
392     case NID_sect163r1:        /* sect163r1 (2) */
393         return 2;
394     case NID_sect163r2:        /* sect163r2 (3) */
395         return 3;
396     case NID_sect193r1:        /* sect193r1 (4) */
397         return 4;
398     case NID_sect193r2:        /* sect193r2 (5) */
399         return 5;
400     case NID_sect233k1:        /* sect233k1 (6) */
401         return 6;
402     case NID_sect233r1:        /* sect233r1 (7) */
403         return 7;
404     case NID_sect239k1:        /* sect239k1 (8) */
405         return 8;
406     case NID_sect283k1:        /* sect283k1 (9) */
407         return 9;
408     case NID_sect283r1:        /* sect283r1 (10) */
409         return 10;
410     case NID_sect409k1:        /* sect409k1 (11) */
411         return 11;
412     case NID_sect409r1:        /* sect409r1 (12) */
413         return 12;
414     case NID_sect571k1:        /* sect571k1 (13) */
415         return 13;
416     case NID_sect571r1:        /* sect571r1 (14) */
417         return 14;
418     case NID_secp160k1:        /* secp160k1 (15) */
419         return 15;
420     case NID_secp160r1:        /* secp160r1 (16) */
421         return 16;
422     case NID_secp160r2:        /* secp160r2 (17) */
423         return 17;
424     case NID_secp192k1:        /* secp192k1 (18) */
425         return 18;
426     case NID_X9_62_prime192v1: /* secp192r1 (19) */
427         return 19;
428     case NID_secp224k1:        /* secp224k1 (20) */
429         return 20;
430     case NID_secp224r1:        /* secp224r1 (21) */
431         return 21;
432     case NID_secp256k1:        /* secp256k1 (22) */
433         return 22;
434     case NID_X9_62_prime256v1: /* secp256r1 (23) */
435         return 23;
436     case NID_secp384r1:        /* secp384r1 (24) */
437         return 24;
438     case NID_secp521r1:        /* secp521r1 (25) */
439         return 25;
440     case NID_brainpoolP256r1:  /* brainpoolP256r1 (26) */
441         return 26;
442     case NID_brainpoolP384r1:  /* brainpoolP384r1 (27) */
443         return 27;
444     case NID_brainpoolP512r1:  /* brainpool512r1 (28) */
445         return 28;
446     default:
447         return 0;
448     }
449 }
450 
451 /*
452  * Get curves list, if "sess" is set return client curves otherwise
453  * preferred list.
454  * Sets |num_curves| to the number of curves in the list, i.e.,
455  * the length of |pcurves| is 2 * num_curves.
456  * Returns 1 on success and 0 if the client curves list has invalid format.
457  * The latter indicates an internal error: we should not be accepting such
458  * lists in the first place.
459  * TODO(emilia): we should really be storing the curves list in explicitly
460  * parsed form instead. (However, this would affect binary compatibility
461  * so cannot happen in the 1.0.x series.)
462  */
463 static int tls1_get_curvelist(SSL *s, int sess,
464                               const unsigned char **pcurves,
465                               size_t *num_curves)
466 {
467     size_t pcurveslen = 0;
468     if (sess) {
469         *pcurves = s->session->tlsext_ellipticcurvelist;
470         pcurveslen = s->session->tlsext_ellipticcurvelist_length;
471     } else {
472         /* For Suite B mode only include P-256, P-384 */
473         switch (tls1_suiteb(s)) {
474         case SSL_CERT_FLAG_SUITEB_128_LOS:
475             *pcurves = suiteb_curves;
476             pcurveslen = sizeof(suiteb_curves);
477             break;
478 
479         case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
480             *pcurves = suiteb_curves;
481             pcurveslen = 2;
482             break;
483 
484         case SSL_CERT_FLAG_SUITEB_192_LOS:
485             *pcurves = suiteb_curves + 2;
486             pcurveslen = 2;
487             break;
488         default:
489             *pcurves = s->tlsext_ellipticcurvelist;
490             pcurveslen = s->tlsext_ellipticcurvelist_length;
491         }
492         if (!*pcurves) {
493 # ifdef OPENSSL_FIPS
494             if (FIPS_mode()) {
495                 *pcurves = fips_curves_default;
496                 pcurveslen = sizeof(fips_curves_default);
497             } else
498 # endif
499             {
500                 if (!s->server || s->cert->ecdh_tmp_auto) {
501                     *pcurves = eccurves_auto;
502                     pcurveslen = sizeof(eccurves_auto);
503                 } else {
504                     *pcurves = eccurves_all;
505                     pcurveslen = sizeof(eccurves_all);
506                 }
507             }
508         }
509     }
510     /* We do not allow odd length arrays to enter the system. */
511     if (pcurveslen & 1) {
512         SSLerr(SSL_F_TLS1_GET_CURVELIST, ERR_R_INTERNAL_ERROR);
513         *num_curves = 0;
514         return 0;
515     } else {
516         *num_curves = pcurveslen / 2;
517         return 1;
518     }
519 }
520 
521 /* Check a curve is one of our preferences */
522 int tls1_check_curve(SSL *s, const unsigned char *p, size_t len)
523 {
524     const unsigned char *curves;
525     size_t num_curves, i;
526     unsigned int suiteb_flags = tls1_suiteb(s);
527     if (len != 3 || p[0] != NAMED_CURVE_TYPE)
528         return 0;
529     /* Check curve matches Suite B preferences */
530     if (suiteb_flags) {
531         unsigned long cid = s->s3->tmp.new_cipher->id;
532         if (p[1])
533             return 0;
534         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
535             if (p[2] != TLSEXT_curve_P_256)
536                 return 0;
537         } else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
538             if (p[2] != TLSEXT_curve_P_384)
539                 return 0;
540         } else                  /* Should never happen */
541             return 0;
542     }
543     if (!tls1_get_curvelist(s, 0, &curves, &num_curves))
544         return 0;
545     for (i = 0; i < num_curves; i++, curves += 2) {
546         if (p[1] == curves[0] && p[2] == curves[1])
547             return 1;
548     }
549     return 0;
550 }
551 
552 /*-
553  * Return |nmatch|th shared curve or NID_undef if there is no match.
554  * For nmatch == -1, return number of  matches
555  * For nmatch == -2, return the NID of the curve to use for
556  * an EC tmp key, or NID_undef if there is no match.
557  */
558 int tls1_shared_curve(SSL *s, int nmatch)
559 {
560     const unsigned char *pref, *supp;
561     size_t num_pref, num_supp, i, j;
562     int k;
563     /* Can't do anything on client side */
564     if (s->server == 0)
565         return -1;
566     if (nmatch == -2) {
567         if (tls1_suiteb(s)) {
568             /*
569              * For Suite B ciphersuite determines curve: we already know
570              * these are acceptable due to previous checks.
571              */
572             unsigned long cid = s->s3->tmp.new_cipher->id;
573             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
574                 return NID_X9_62_prime256v1; /* P-256 */
575             if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
576                 return NID_secp384r1; /* P-384 */
577             /* Should never happen */
578             return NID_undef;
579         }
580         /* If not Suite B just return first preference shared curve */
581         nmatch = 0;
582     }
583     /*
584      * Avoid truncation. tls1_get_curvelist takes an int
585      * but s->options is a long...
586      */
587     if (!tls1_get_curvelist
588         (s, (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0, &supp,
589          &num_supp))
590         /* In practice, NID_undef == 0 but let's be precise. */
591         return nmatch == -1 ? 0 : NID_undef;
592     if (!tls1_get_curvelist
593         (s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
594          &num_pref))
595         return nmatch == -1 ? 0 : NID_undef;
596 
597     /*
598      * If the client didn't send the elliptic_curves extension all of them
599      * are allowed.
600      */
601     if (num_supp == 0 && (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) != 0) {
602         supp = eccurves_all;
603         num_supp = sizeof(eccurves_all) / 2;
604     } else if (num_pref == 0 &&
605         (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) == 0) {
606         pref = eccurves_all;
607         num_pref = sizeof(eccurves_all) / 2;
608     }
609 
610     k = 0;
611     for (i = 0; i < num_pref; i++, pref += 2) {
612         const unsigned char *tsupp = supp;
613         for (j = 0; j < num_supp; j++, tsupp += 2) {
614             if (pref[0] == tsupp[0] && pref[1] == tsupp[1]) {
615                 if (nmatch == k) {
616                     int id = (pref[0] << 8) | pref[1];
617                     return tls1_ec_curve_id2nid(id);
618                 }
619                 k++;
620             }
621         }
622     }
623     if (nmatch == -1)
624         return k;
625     /* Out of range (nmatch > k). */
626     return NID_undef;
627 }
628 
629 int tls1_set_curves(unsigned char **pext, size_t *pextlen,
630                     int *curves, size_t ncurves)
631 {
632     unsigned char *clist, *p;
633     size_t i;
634     /*
635      * Bitmap of curves included to detect duplicates: only works while curve
636      * ids < 32
637      */
638     unsigned long dup_list = 0;
639 # ifdef OPENSSL_NO_EC2M
640     EC_GROUP *curve;
641 # endif
642 
643     clist = OPENSSL_malloc(ncurves * 2);
644     if (!clist)
645         return 0;
646     for (i = 0, p = clist; i < ncurves; i++) {
647         unsigned long idmask;
648         int id;
649         id = tls1_ec_nid2curve_id(curves[i]);
650 # ifdef OPENSSL_FIPS
651         /* NB: 25 is last curve ID supported by FIPS module */
652         if (FIPS_mode() && id > 25) {
653             OPENSSL_free(clist);
654             return 0;
655         }
656 # endif
657 # ifdef OPENSSL_NO_EC2M
658         curve = EC_GROUP_new_by_curve_name(curves[i]);
659         if (!curve || EC_METHOD_get_field_type(EC_GROUP_method_of(curve))
660             == NID_X9_62_characteristic_two_field) {
661             if (curve)
662                 EC_GROUP_free(curve);
663             OPENSSL_free(clist);
664             return 0;
665         } else
666             EC_GROUP_free(curve);
667 # endif
668         idmask = 1L << id;
669         if (!id || (dup_list & idmask)) {
670             OPENSSL_free(clist);
671             return 0;
672         }
673         dup_list |= idmask;
674         s2n(id, p);
675     }
676     if (*pext)
677         OPENSSL_free(*pext);
678     *pext = clist;
679     *pextlen = ncurves * 2;
680     return 1;
681 }
682 
683 # define MAX_CURVELIST   28
684 
685 typedef struct {
686     size_t nidcnt;
687     int nid_arr[MAX_CURVELIST];
688 } nid_cb_st;
689 
690 static int nid_cb(const char *elem, int len, void *arg)
691 {
692     nid_cb_st *narg = arg;
693     size_t i;
694     int nid;
695     char etmp[20];
696     if (elem == NULL)
697         return 0;
698     if (narg->nidcnt == MAX_CURVELIST)
699         return 0;
700     if (len > (int)(sizeof(etmp) - 1))
701         return 0;
702     memcpy(etmp, elem, len);
703     etmp[len] = 0;
704     nid = EC_curve_nist2nid(etmp);
705     if (nid == NID_undef)
706         nid = OBJ_sn2nid(etmp);
707     if (nid == NID_undef)
708         nid = OBJ_ln2nid(etmp);
709     if (nid == NID_undef)
710         return 0;
711     for (i = 0; i < narg->nidcnt; i++)
712         if (narg->nid_arr[i] == nid)
713             return 0;
714     narg->nid_arr[narg->nidcnt++] = nid;
715     return 1;
716 }
717 
718 /* Set curves based on a colon separate list */
719 int tls1_set_curves_list(unsigned char **pext, size_t *pextlen,
720                          const char *str)
721 {
722     nid_cb_st ncb;
723     ncb.nidcnt = 0;
724     if (!CONF_parse_list(str, ':', 1, nid_cb, &ncb))
725         return 0;
726     if (pext == NULL)
727         return 1;
728     return tls1_set_curves(pext, pextlen, ncb.nid_arr, ncb.nidcnt);
729 }
730 
731 /* For an EC key set TLS id and required compression based on parameters */
732 static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id,
733                           EC_KEY *ec)
734 {
735     int is_prime, id;
736     const EC_GROUP *grp;
737     const EC_METHOD *meth;
738     if (!ec)
739         return 0;
740     /* Determine if it is a prime field */
741     grp = EC_KEY_get0_group(ec);
742     if (!grp)
743         return 0;
744     meth = EC_GROUP_method_of(grp);
745     if (!meth)
746         return 0;
747     if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field)
748         is_prime = 1;
749     else
750         is_prime = 0;
751     /* Determine curve ID */
752     id = EC_GROUP_get_curve_name(grp);
753     id = tls1_ec_nid2curve_id(id);
754     /* If we have an ID set it, otherwise set arbitrary explicit curve */
755     if (id) {
756         curve_id[0] = 0;
757         curve_id[1] = (unsigned char)id;
758     } else {
759         curve_id[0] = 0xff;
760         if (is_prime)
761             curve_id[1] = 0x01;
762         else
763             curve_id[1] = 0x02;
764     }
765     if (comp_id) {
766         if (EC_KEY_get0_public_key(ec) == NULL)
767             return 0;
768         if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) {
769             if (is_prime)
770                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
771             else
772                 *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
773         } else
774             *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
775     }
776     return 1;
777 }
778 
779 /* Check an EC key is compatible with extensions */
780 static int tls1_check_ec_key(SSL *s,
781                              unsigned char *curve_id, unsigned char *comp_id)
782 {
783     const unsigned char *pformats, *pcurves;
784     size_t num_formats, num_curves, i;
785     int j;
786     /*
787      * If point formats extension present check it, otherwise everything is
788      * supported (see RFC4492).
789      */
790     if (comp_id && s->session->tlsext_ecpointformatlist) {
791         pformats = s->session->tlsext_ecpointformatlist;
792         num_formats = s->session->tlsext_ecpointformatlist_length;
793         for (i = 0; i < num_formats; i++, pformats++) {
794             if (*comp_id == *pformats)
795                 break;
796         }
797         if (i == num_formats)
798             return 0;
799     }
800     if (!curve_id)
801         return 1;
802     /* Check curve is consistent with client and server preferences */
803     for (j = 0; j <= 1; j++) {
804         if (!tls1_get_curvelist(s, j, &pcurves, &num_curves))
805             return 0;
806         if (j == 1 && num_curves == 0) {
807             /*
808              * If we've not received any curves then skip this check.
809              * RFC 4492 does not require the supported elliptic curves extension
810              * so if it is not sent we can just choose any curve.
811              * It is invalid to send an empty list in the elliptic curves
812              * extension, so num_curves == 0 always means no extension.
813              */
814             break;
815         }
816         for (i = 0; i < num_curves; i++, pcurves += 2) {
817             if (pcurves[0] == curve_id[0] && pcurves[1] == curve_id[1])
818                 break;
819         }
820         if (i == num_curves)
821             return 0;
822         /* For clients can only check sent curve list */
823         if (!s->server)
824             return 1;
825     }
826     return 1;
827 }
828 
829 static void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
830                                 size_t *num_formats)
831 {
832     /*
833      * If we have a custom point format list use it otherwise use default
834      */
835     if (s->tlsext_ecpointformatlist) {
836         *pformats = s->tlsext_ecpointformatlist;
837         *num_formats = s->tlsext_ecpointformatlist_length;
838     } else {
839         *pformats = ecformats_default;
840         /* For Suite B we don't support char2 fields */
841         if (tls1_suiteb(s))
842             *num_formats = sizeof(ecformats_default) - 1;
843         else
844             *num_formats = sizeof(ecformats_default);
845     }
846 }
847 
848 /*
849  * Check cert parameters compatible with extensions: currently just checks EC
850  * certificates have compatible curves and compression.
851  */
852 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
853 {
854     unsigned char comp_id, curve_id[2];
855     EVP_PKEY *pkey;
856     int rv;
857     pkey = X509_get_pubkey(x);
858     if (!pkey)
859         return 0;
860     /* If not EC nothing to do */
861     if (pkey->type != EVP_PKEY_EC) {
862         EVP_PKEY_free(pkey);
863         return 1;
864     }
865     rv = tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec);
866     EVP_PKEY_free(pkey);
867     if (!rv)
868         return 0;
869     /*
870      * Can't check curve_id for client certs as we don't have a supported
871      * curves extension.
872      */
873     rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id);
874     if (!rv)
875         return 0;
876     /*
877      * Special case for suite B. We *MUST* sign using SHA256+P-256 or
878      * SHA384+P-384, adjust digest if necessary.
879      */
880     if (set_ee_md && tls1_suiteb(s)) {
881         int check_md;
882         size_t i;
883         CERT *c = s->cert;
884         if (curve_id[0])
885             return 0;
886         /* Check to see we have necessary signing algorithm */
887         if (curve_id[1] == TLSEXT_curve_P_256)
888             check_md = NID_ecdsa_with_SHA256;
889         else if (curve_id[1] == TLSEXT_curve_P_384)
890             check_md = NID_ecdsa_with_SHA384;
891         else
892             return 0;           /* Should never happen */
893         for (i = 0; i < c->shared_sigalgslen; i++)
894             if (check_md == c->shared_sigalgs[i].signandhash_nid)
895                 break;
896         if (i == c->shared_sigalgslen)
897             return 0;
898         if (set_ee_md == 2) {
899             if (check_md == NID_ecdsa_with_SHA256)
900                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha256();
901             else
902                 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha384();
903         }
904     }
905     return rv;
906 }
907 
908 # ifndef OPENSSL_NO_ECDH
909 /* Check EC temporary key is compatible with client extensions */
910 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
911 {
912     unsigned char curve_id[2];
913     EC_KEY *ec = s->cert->ecdh_tmp;
914 #  ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
915     /* Allow any curve: not just those peer supports */
916     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
917         return 1;
918 #  endif
919     /*
920      * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
921      * curves permitted.
922      */
923     if (tls1_suiteb(s)) {
924         /* Curve to check determined by ciphersuite */
925         if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
926             curve_id[1] = TLSEXT_curve_P_256;
927         else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
928             curve_id[1] = TLSEXT_curve_P_384;
929         else
930             return 0;
931         curve_id[0] = 0;
932         /* Check this curve is acceptable */
933         if (!tls1_check_ec_key(s, curve_id, NULL))
934             return 0;
935         /* If auto or setting curve from callback assume OK */
936         if (s->cert->ecdh_tmp_auto || s->cert->ecdh_tmp_cb)
937             return 1;
938         /* Otherwise check curve is acceptable */
939         else {
940             unsigned char curve_tmp[2];
941             if (!ec)
942                 return 0;
943             if (!tls1_set_ec_id(curve_tmp, NULL, ec))
944                 return 0;
945             if (!curve_tmp[0] || curve_tmp[1] == curve_id[1])
946                 return 1;
947             return 0;
948         }
949 
950     }
951     if (s->cert->ecdh_tmp_auto) {
952         /* Need a shared curve */
953         if (tls1_shared_curve(s, 0))
954             return 1;
955         else
956             return 0;
957     }
958     if (!ec) {
959         if (s->cert->ecdh_tmp_cb)
960             return 1;
961         else
962             return 0;
963     }
964     if (!tls1_set_ec_id(curve_id, NULL, ec))
965         return 0;
966 /* Set this to allow use of invalid curves for testing */
967 #  if 0
968     return 1;
969 #  else
970     return tls1_check_ec_key(s, curve_id, NULL);
971 #  endif
972 }
973 # endif                         /* OPENSSL_NO_ECDH */
974 
975 #else
976 
977 static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
978 {
979     return 1;
980 }
981 
982 #endif                          /* OPENSSL_NO_EC */
983 
984 #ifndef OPENSSL_NO_TLSEXT
985 
986 /*
987  * List of supported signature algorithms and hashes. Should make this
988  * customisable at some point, for now include everything we support.
989  */
990 
991 # ifdef OPENSSL_NO_RSA
992 #  define tlsext_sigalg_rsa(md) /* */
993 # else
994 #  define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
995 # endif
996 
997 # ifdef OPENSSL_NO_DSA
998 #  define tlsext_sigalg_dsa(md) /* */
999 # else
1000 #  define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
1001 # endif
1002 
1003 # ifdef OPENSSL_NO_ECDSA
1004 #  define tlsext_sigalg_ecdsa(md)
1005                                 /* */
1006 # else
1007 #  define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
1008 # endif
1009 
1010 # define tlsext_sigalg(md) \
1011                 tlsext_sigalg_rsa(md) \
1012                 tlsext_sigalg_dsa(md) \
1013                 tlsext_sigalg_ecdsa(md)
1014 
1015 static unsigned char tls12_sigalgs[] = {
1016 # ifndef OPENSSL_NO_SHA512
1017     tlsext_sigalg(TLSEXT_hash_sha512)
1018         tlsext_sigalg(TLSEXT_hash_sha384)
1019 # endif
1020 # ifndef OPENSSL_NO_SHA256
1021         tlsext_sigalg(TLSEXT_hash_sha256)
1022         tlsext_sigalg(TLSEXT_hash_sha224)
1023 # endif
1024 # ifndef OPENSSL_NO_SHA
1025         tlsext_sigalg(TLSEXT_hash_sha1)
1026 # endif
1027 };
1028 
1029 # ifndef OPENSSL_NO_ECDSA
1030 static unsigned char suiteb_sigalgs[] = {
1031     tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
1032         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
1033 };
1034 # endif
1035 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
1036 {
1037     /*
1038      * If Suite B mode use Suite B sigalgs only, ignore any other
1039      * preferences.
1040      */
1041 # ifndef OPENSSL_NO_EC
1042     switch (tls1_suiteb(s)) {
1043     case SSL_CERT_FLAG_SUITEB_128_LOS:
1044         *psigs = suiteb_sigalgs;
1045         return sizeof(suiteb_sigalgs);
1046 
1047     case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1048         *psigs = suiteb_sigalgs;
1049         return 2;
1050 
1051     case SSL_CERT_FLAG_SUITEB_192_LOS:
1052         *psigs = suiteb_sigalgs + 2;
1053         return 2;
1054     }
1055 # endif
1056     /* If server use client authentication sigalgs if not NULL */
1057     if (s->server && s->cert->client_sigalgs) {
1058         *psigs = s->cert->client_sigalgs;
1059         return s->cert->client_sigalgslen;
1060     } else if (s->cert->conf_sigalgs) {
1061         *psigs = s->cert->conf_sigalgs;
1062         return s->cert->conf_sigalgslen;
1063     } else {
1064         *psigs = tls12_sigalgs;
1065         return sizeof(tls12_sigalgs);
1066     }
1067 }
1068 
1069 /*
1070  * Check signature algorithm is consistent with sent supported signature
1071  * algorithms and if so return relevant digest.
1072  */
1073 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
1074                             const unsigned char *sig, EVP_PKEY *pkey)
1075 {
1076     const unsigned char *sent_sigs;
1077     size_t sent_sigslen, i;
1078     int sigalg = tls12_get_sigid(pkey);
1079     /* Should never happen */
1080     if (sigalg == -1)
1081         return -1;
1082     /* Check key type is consistent with signature */
1083     if (sigalg != (int)sig[1]) {
1084         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1085         return 0;
1086     }
1087 # ifndef OPENSSL_NO_EC
1088     if (pkey->type == EVP_PKEY_EC) {
1089         unsigned char curve_id[2], comp_id;
1090         /* Check compression and curve matches extensions */
1091         if (!tls1_set_ec_id(curve_id, &comp_id, pkey->pkey.ec))
1092             return 0;
1093         if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) {
1094             SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
1095             return 0;
1096         }
1097         /* If Suite B only P-384+SHA384 or P-256+SHA-256 allowed */
1098         if (tls1_suiteb(s)) {
1099             if (curve_id[0])
1100                 return 0;
1101             if (curve_id[1] == TLSEXT_curve_P_256) {
1102                 if (sig[0] != TLSEXT_hash_sha256) {
1103                     SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1104                            SSL_R_ILLEGAL_SUITEB_DIGEST);
1105                     return 0;
1106                 }
1107             } else if (curve_id[1] == TLSEXT_curve_P_384) {
1108                 if (sig[0] != TLSEXT_hash_sha384) {
1109                     SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
1110                            SSL_R_ILLEGAL_SUITEB_DIGEST);
1111                     return 0;
1112                 }
1113             } else
1114                 return 0;
1115         }
1116     } else if (tls1_suiteb(s))
1117         return 0;
1118 # endif
1119 
1120     /* Check signature matches a type we sent */
1121     sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
1122     for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
1123         if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
1124             break;
1125     }
1126     /* Allow fallback to SHA1 if not strict mode */
1127     if (i == sent_sigslen
1128         && (sig[0] != TLSEXT_hash_sha1
1129             || s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
1130         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
1131         return 0;
1132     }
1133     *pmd = tls12_get_hash(sig[0]);
1134     if (*pmd == NULL) {
1135         SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_UNKNOWN_DIGEST);
1136         return 0;
1137     }
1138     /*
1139      * Store the digest used so applications can retrieve it if they wish.
1140      */
1141     if (s->session && s->session->sess_cert)
1142         s->session->sess_cert->peer_key->digest = *pmd;
1143     return 1;
1144 }
1145 
1146 /*
1147  * Get a mask of disabled algorithms: an algorithm is disabled if it isn't
1148  * supported or doesn't appear in supported signature algorithms. Unlike
1149  * ssl_cipher_get_disabled this applies to a specific session and not global
1150  * settings.
1151  */
1152 void ssl_set_client_disabled(SSL *s)
1153 {
1154     CERT *c = s->cert;
1155     const unsigned char *sigalgs;
1156     size_t i, sigalgslen;
1157     int have_rsa = 0, have_dsa = 0, have_ecdsa = 0;
1158     c->mask_a = 0;
1159     c->mask_k = 0;
1160     /* Don't allow TLS 1.2 only ciphers if we don't suppport them */
1161     if (!SSL_CLIENT_USE_TLS1_2_CIPHERS(s))
1162         c->mask_ssl = SSL_TLSV1_2;
1163     else
1164         c->mask_ssl = 0;
1165     /*
1166      * Now go through all signature algorithms seeing if we support any for
1167      * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
1168      */
1169     sigalgslen = tls12_get_psigalgs(s, &sigalgs);
1170     for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
1171         switch (sigalgs[1]) {
1172 # ifndef OPENSSL_NO_RSA
1173         case TLSEXT_signature_rsa:
1174             have_rsa = 1;
1175             break;
1176 # endif
1177 # ifndef OPENSSL_NO_DSA
1178         case TLSEXT_signature_dsa:
1179             have_dsa = 1;
1180             break;
1181 # endif
1182 # ifndef OPENSSL_NO_ECDSA
1183         case TLSEXT_signature_ecdsa:
1184             have_ecdsa = 1;
1185             break;
1186 # endif
1187         }
1188     }
1189     /*
1190      * Disable auth and static DH if we don't include any appropriate
1191      * signature algorithms.
1192      */
1193     if (!have_rsa) {
1194         c->mask_a |= SSL_aRSA;
1195         c->mask_k |= SSL_kDHr | SSL_kECDHr;
1196     }
1197     if (!have_dsa) {
1198         c->mask_a |= SSL_aDSS;
1199         c->mask_k |= SSL_kDHd;
1200     }
1201     if (!have_ecdsa) {
1202         c->mask_a |= SSL_aECDSA;
1203         c->mask_k |= SSL_kECDHe;
1204     }
1205 # ifndef OPENSSL_NO_KRB5
1206     if (!kssl_tgt_is_available(s->kssl_ctx)) {
1207         c->mask_a |= SSL_aKRB5;
1208         c->mask_k |= SSL_kKRB5;
1209     }
1210 # endif
1211 # ifndef OPENSSL_NO_PSK
1212     /* with PSK there must be client callback set */
1213     if (!s->psk_client_callback) {
1214         c->mask_a |= SSL_aPSK;
1215         c->mask_k |= SSL_kPSK;
1216     }
1217 # endif                         /* OPENSSL_NO_PSK */
1218 # ifndef OPENSSL_NO_SRP
1219     if (!(s->srp_ctx.srp_Mask & SSL_kSRP)) {
1220         c->mask_a |= SSL_aSRP;
1221         c->mask_k |= SSL_kSRP;
1222     }
1223 # endif
1224     c->valid = 1;
1225 }
1226 
1227 unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
1228                                           unsigned char *limit, int *al)
1229 {
1230     int extdatalen = 0;
1231     unsigned char *orig = buf;
1232     unsigned char *ret = buf;
1233 # ifndef OPENSSL_NO_EC
1234     /* See if we support any ECC ciphersuites */
1235     int using_ecc = 0;
1236     if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
1237         int i;
1238         unsigned long alg_k, alg_a;
1239         STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
1240 
1241         for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
1242             SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
1243 
1244             alg_k = c->algorithm_mkey;
1245             alg_a = c->algorithm_auth;
1246             if ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)
1247                  || (alg_a & SSL_aECDSA))) {
1248                 using_ecc = 1;
1249                 break;
1250             }
1251         }
1252     }
1253 # endif
1254 
1255     /* don't add extensions for SSLv3 unless doing secure renegotiation */
1256     if (s->client_version == SSL3_VERSION && !s->s3->send_connection_binding)
1257         return orig;
1258 
1259     ret += 2;
1260 
1261     if (ret >= limit)
1262         return NULL;            /* this really never occurs, but ... */
1263 
1264     if (s->tlsext_hostname != NULL) {
1265         /* Add TLS extension servername to the Client Hello message */
1266         unsigned long size_str;
1267         long lenmax;
1268 
1269         /*-
1270          * check for enough space.
1271          * 4 for the servername type and entension length
1272          * 2 for servernamelist length
1273          * 1 for the hostname type
1274          * 2 for hostname length
1275          * + hostname length
1276          */
1277 
1278         if ((lenmax = limit - ret - 9) < 0
1279             || (size_str =
1280                 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
1281             return NULL;
1282 
1283         /* extension type and length */
1284         s2n(TLSEXT_TYPE_server_name, ret);
1285         s2n(size_str + 5, ret);
1286 
1287         /* length of servername list */
1288         s2n(size_str + 3, ret);
1289 
1290         /* hostname type, length and hostname */
1291         *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
1292         s2n(size_str, ret);
1293         memcpy(ret, s->tlsext_hostname, size_str);
1294         ret += size_str;
1295     }
1296 
1297     /* Add RI if renegotiating */
1298     if (s->renegotiate) {
1299         int el;
1300 
1301         if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
1302             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1303             return NULL;
1304         }
1305 
1306         if ((limit - ret - 4 - el) < 0)
1307             return NULL;
1308 
1309         s2n(TLSEXT_TYPE_renegotiate, ret);
1310         s2n(el, ret);
1311 
1312         if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
1313             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1314             return NULL;
1315         }
1316 
1317         ret += el;
1318     }
1319 # ifndef OPENSSL_NO_SRP
1320     /* Add SRP username if there is one */
1321     if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
1322                                      * Client Hello message */
1323 
1324         int login_len = strlen(s->srp_ctx.login);
1325         if (login_len > 255 || login_len == 0) {
1326             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1327             return NULL;
1328         }
1329 
1330         /*-
1331          * check for enough space.
1332          * 4 for the srp type type and entension length
1333          * 1 for the srp user identity
1334          * + srp user identity length
1335          */
1336         if ((limit - ret - 5 - login_len) < 0)
1337             return NULL;
1338 
1339         /* fill in the extension */
1340         s2n(TLSEXT_TYPE_srp, ret);
1341         s2n(login_len + 1, ret);
1342         (*ret++) = (unsigned char)login_len;
1343         memcpy(ret, s->srp_ctx.login, login_len);
1344         ret += login_len;
1345     }
1346 # endif
1347 
1348 # ifndef OPENSSL_NO_EC
1349     if (using_ecc) {
1350         /*
1351          * Add TLS extension ECPointFormats to the ClientHello message
1352          */
1353         long lenmax;
1354         const unsigned char *pcurves, *pformats;
1355         size_t num_curves, num_formats, curves_list_len;
1356 
1357         tls1_get_formatlist(s, &pformats, &num_formats);
1358 
1359         if ((lenmax = limit - ret - 5) < 0)
1360             return NULL;
1361         if (num_formats > (size_t)lenmax)
1362             return NULL;
1363         if (num_formats > 255) {
1364             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1365             return NULL;
1366         }
1367 
1368         s2n(TLSEXT_TYPE_ec_point_formats, ret);
1369         /* The point format list has 1-byte length. */
1370         s2n(num_formats + 1, ret);
1371         *(ret++) = (unsigned char)num_formats;
1372         memcpy(ret, pformats, num_formats);
1373         ret += num_formats;
1374 
1375         /*
1376          * Add TLS extension EllipticCurves to the ClientHello message
1377          */
1378         pcurves = s->tlsext_ellipticcurvelist;
1379         if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
1380             return NULL;
1381 
1382         if ((lenmax = limit - ret - 6) < 0)
1383             return NULL;
1384         if (num_curves > (size_t)lenmax / 2)
1385             return NULL;
1386         if (num_curves > 65532 / 2) {
1387             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1388             return NULL;
1389         }
1390         curves_list_len = 2 * num_curves;
1391         s2n(TLSEXT_TYPE_elliptic_curves, ret);
1392         s2n(curves_list_len + 2, ret);
1393         s2n(curves_list_len, ret);
1394         memcpy(ret, pcurves, curves_list_len);
1395         ret += curves_list_len;
1396     }
1397 # endif                         /* OPENSSL_NO_EC */
1398 
1399     if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1400         int ticklen;
1401         if (!s->new_session && s->session && s->session->tlsext_tick)
1402             ticklen = s->session->tlsext_ticklen;
1403         else if (s->session && s->tlsext_session_ticket &&
1404                  s->tlsext_session_ticket->data) {
1405             ticklen = s->tlsext_session_ticket->length;
1406             s->session->tlsext_tick = OPENSSL_malloc(ticklen);
1407             if (!s->session->tlsext_tick)
1408                 return NULL;
1409             memcpy(s->session->tlsext_tick,
1410                    s->tlsext_session_ticket->data, ticklen);
1411             s->session->tlsext_ticklen = ticklen;
1412         } else
1413             ticklen = 0;
1414         if (ticklen == 0 && s->tlsext_session_ticket &&
1415             s->tlsext_session_ticket->data == NULL)
1416             goto skip_ext;
1417         /*
1418          * Check for enough room 2 for extension type, 2 for len rest for
1419          * ticket
1420          */
1421         if ((long)(limit - ret - 4 - ticklen) < 0)
1422             return NULL;
1423         s2n(TLSEXT_TYPE_session_ticket, ret);
1424         s2n(ticklen, ret);
1425         if (ticklen) {
1426             memcpy(ret, s->session->tlsext_tick, ticklen);
1427             ret += ticklen;
1428         }
1429     }
1430  skip_ext:
1431 
1432     if (SSL_USE_SIGALGS(s)) {
1433         size_t salglen;
1434         const unsigned char *salg;
1435         salglen = tls12_get_psigalgs(s, &salg);
1436         if ((size_t)(limit - ret) < salglen + 6)
1437             return NULL;
1438         s2n(TLSEXT_TYPE_signature_algorithms, ret);
1439         s2n(salglen + 2, ret);
1440         s2n(salglen, ret);
1441         memcpy(ret, salg, salglen);
1442         ret += salglen;
1443     }
1444 # ifdef TLSEXT_TYPE_opaque_prf_input
1445     if (s->s3->client_opaque_prf_input != NULL) {
1446         size_t col = s->s3->client_opaque_prf_input_len;
1447 
1448         if ((long)(limit - ret - 6 - col < 0))
1449             return NULL;
1450         if (col > 0xFFFD)       /* can't happen */
1451             return NULL;
1452 
1453         s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1454         s2n(col + 2, ret);
1455         s2n(col, ret);
1456         memcpy(ret, s->s3->client_opaque_prf_input, col);
1457         ret += col;
1458     }
1459 # endif
1460 
1461     if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
1462         int i;
1463         long extlen, idlen, itmp;
1464         OCSP_RESPID *id;
1465 
1466         idlen = 0;
1467         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1468             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1469             itmp = i2d_OCSP_RESPID(id, NULL);
1470             if (itmp <= 0)
1471                 return NULL;
1472             idlen += itmp + 2;
1473         }
1474 
1475         if (s->tlsext_ocsp_exts) {
1476             extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
1477             if (extlen < 0)
1478                 return NULL;
1479         } else
1480             extlen = 0;
1481 
1482         if ((long)(limit - ret - 7 - extlen - idlen) < 0)
1483             return NULL;
1484         s2n(TLSEXT_TYPE_status_request, ret);
1485         if (extlen + idlen > 0xFFF0)
1486             return NULL;
1487         s2n(extlen + idlen + 5, ret);
1488         *(ret++) = TLSEXT_STATUSTYPE_ocsp;
1489         s2n(idlen, ret);
1490         for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
1491             /* save position of id len */
1492             unsigned char *q = ret;
1493             id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
1494             /* skip over id len */
1495             ret += 2;
1496             itmp = i2d_OCSP_RESPID(id, &ret);
1497             /* write id len */
1498             s2n(itmp, q);
1499         }
1500         s2n(extlen, ret);
1501         if (extlen > 0)
1502             i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
1503     }
1504 # ifndef OPENSSL_NO_HEARTBEATS
1505     /* Add Heartbeat extension */
1506     if ((limit - ret - 4 - 1) < 0)
1507         return NULL;
1508     s2n(TLSEXT_TYPE_heartbeat, ret);
1509     s2n(1, ret);
1510     /*-
1511      * Set mode:
1512      * 1: peer may send requests
1513      * 2: peer not allowed to send requests
1514      */
1515     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1516         *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1517     else
1518         *(ret++) = SSL_TLSEXT_HB_ENABLED;
1519 # endif
1520 
1521 # ifndef OPENSSL_NO_NEXTPROTONEG
1522     if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) {
1523         /*
1524          * The client advertises an emtpy extension to indicate its support
1525          * for Next Protocol Negotiation
1526          */
1527         if (limit - ret - 4 < 0)
1528             return NULL;
1529         s2n(TLSEXT_TYPE_next_proto_neg, ret);
1530         s2n(0, ret);
1531     }
1532 # endif
1533 
1534     if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
1535         if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
1536             return NULL;
1537         s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1538         s2n(2 + s->alpn_client_proto_list_len, ret);
1539         s2n(s->alpn_client_proto_list_len, ret);
1540         memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
1541         ret += s->alpn_client_proto_list_len;
1542         s->cert->alpn_sent = 1;
1543     }
1544 # ifndef OPENSSL_NO_SRTP
1545     if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
1546         int el;
1547 
1548         ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
1549 
1550         if ((limit - ret - 4 - el) < 0)
1551             return NULL;
1552 
1553         s2n(TLSEXT_TYPE_use_srtp, ret);
1554         s2n(el, ret);
1555 
1556         if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
1557             SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1558             return NULL;
1559         }
1560         ret += el;
1561     }
1562 # endif
1563     custom_ext_init(&s->cert->cli_ext);
1564     /* Add custom TLS Extensions to ClientHello */
1565     if (!custom_ext_add(s, 0, &ret, limit, al))
1566         return NULL;
1567 
1568     /*
1569      * Add padding to workaround bugs in F5 terminators. See
1570      * https://tools.ietf.org/html/draft-agl-tls-padding-03 NB: because this
1571      * code works out the length of all existing extensions it MUST always
1572      * appear last.
1573      */
1574     if (s->options & SSL_OP_TLSEXT_PADDING) {
1575         int hlen = ret - (unsigned char *)s->init_buf->data;
1576         /*
1577          * The code in s23_clnt.c to build ClientHello messages includes the
1578          * 5-byte record header in the buffer, while the code in s3_clnt.c
1579          * does not.
1580          */
1581         if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
1582             hlen -= 5;
1583         if (hlen > 0xff && hlen < 0x200) {
1584             hlen = 0x200 - hlen;
1585             if (hlen >= 4)
1586                 hlen -= 4;
1587             else
1588                 hlen = 0;
1589 
1590             s2n(TLSEXT_TYPE_padding, ret);
1591             s2n(hlen, ret);
1592             memset(ret, 0, hlen);
1593             ret += hlen;
1594         }
1595     }
1596 
1597     if ((extdatalen = ret - orig - 2) == 0)
1598         return orig;
1599 
1600     s2n(extdatalen, orig);
1601     return ret;
1602 }
1603 
1604 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
1605                                           unsigned char *limit, int *al)
1606 {
1607     int extdatalen = 0;
1608     unsigned char *orig = buf;
1609     unsigned char *ret = buf;
1610 # ifndef OPENSSL_NO_NEXTPROTONEG
1611     int next_proto_neg_seen;
1612 # endif
1613 # ifndef OPENSSL_NO_EC
1614     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1615     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1616     int using_ecc = (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
1617         || (alg_a & SSL_aECDSA);
1618     using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
1619 # endif
1620     /*
1621      * don't add extensions for SSLv3, unless doing secure renegotiation
1622      */
1623     if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
1624         return orig;
1625 
1626     ret += 2;
1627     if (ret >= limit)
1628         return NULL;            /* this really never occurs, but ... */
1629 
1630     if (!s->hit && s->servername_done == 1
1631         && s->session->tlsext_hostname != NULL) {
1632         if ((long)(limit - ret - 4) < 0)
1633             return NULL;
1634 
1635         s2n(TLSEXT_TYPE_server_name, ret);
1636         s2n(0, ret);
1637     }
1638 
1639     if (s->s3->send_connection_binding) {
1640         int el;
1641 
1642         if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) {
1643             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1644             return NULL;
1645         }
1646 
1647         if ((limit - ret - 4 - el) < 0)
1648             return NULL;
1649 
1650         s2n(TLSEXT_TYPE_renegotiate, ret);
1651         s2n(el, ret);
1652 
1653         if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) {
1654             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1655             return NULL;
1656         }
1657 
1658         ret += el;
1659     }
1660 # ifndef OPENSSL_NO_EC
1661     if (using_ecc) {
1662         const unsigned char *plist;
1663         size_t plistlen;
1664         /*
1665          * Add TLS extension ECPointFormats to the ServerHello message
1666          */
1667         long lenmax;
1668 
1669         tls1_get_formatlist(s, &plist, &plistlen);
1670 
1671         if ((lenmax = limit - ret - 5) < 0)
1672             return NULL;
1673         if (plistlen > (size_t)lenmax)
1674             return NULL;
1675         if (plistlen > 255) {
1676             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1677             return NULL;
1678         }
1679 
1680         s2n(TLSEXT_TYPE_ec_point_formats, ret);
1681         s2n(plistlen + 1, ret);
1682         *(ret++) = (unsigned char)plistlen;
1683         memcpy(ret, plist, plistlen);
1684         ret += plistlen;
1685 
1686     }
1687     /*
1688      * Currently the server should not respond with a SupportedCurves
1689      * extension
1690      */
1691 # endif                         /* OPENSSL_NO_EC */
1692 
1693     if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
1694         if ((long)(limit - ret - 4) < 0)
1695             return NULL;
1696         s2n(TLSEXT_TYPE_session_ticket, ret);
1697         s2n(0, ret);
1698     }
1699 
1700     if (s->tlsext_status_expected) {
1701         if ((long)(limit - ret - 4) < 0)
1702             return NULL;
1703         s2n(TLSEXT_TYPE_status_request, ret);
1704         s2n(0, ret);
1705     }
1706 # ifdef TLSEXT_TYPE_opaque_prf_input
1707     if (s->s3->server_opaque_prf_input != NULL) {
1708         size_t sol = s->s3->server_opaque_prf_input_len;
1709 
1710         if ((long)(limit - ret - 6 - sol) < 0)
1711             return NULL;
1712         if (sol > 0xFFFD)       /* can't happen */
1713             return NULL;
1714 
1715         s2n(TLSEXT_TYPE_opaque_prf_input, ret);
1716         s2n(sol + 2, ret);
1717         s2n(sol, ret);
1718         memcpy(ret, s->s3->server_opaque_prf_input, sol);
1719         ret += sol;
1720     }
1721 # endif
1722 
1723 # ifndef OPENSSL_NO_SRTP
1724     if (SSL_IS_DTLS(s) && s->srtp_profile) {
1725         int el;
1726 
1727         ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
1728 
1729         if ((limit - ret - 4 - el) < 0)
1730             return NULL;
1731 
1732         s2n(TLSEXT_TYPE_use_srtp, ret);
1733         s2n(el, ret);
1734 
1735         if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) {
1736             SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
1737             return NULL;
1738         }
1739         ret += el;
1740     }
1741 # endif
1742 
1743     if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80
1744          || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81)
1745         && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
1746         const unsigned char cryptopro_ext[36] = {
1747             0xfd, 0xe8,         /* 65000 */
1748             0x00, 0x20,         /* 32 bytes length */
1749             0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85,
1750             0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06,
1751             0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08,
1752             0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
1753         };
1754         if (limit - ret < 36)
1755             return NULL;
1756         memcpy(ret, cryptopro_ext, 36);
1757         ret += 36;
1758 
1759     }
1760 # ifndef OPENSSL_NO_HEARTBEATS
1761     /* Add Heartbeat extension if we've received one */
1762     if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
1763         if ((limit - ret - 4 - 1) < 0)
1764             return NULL;
1765         s2n(TLSEXT_TYPE_heartbeat, ret);
1766         s2n(1, ret);
1767         /*-
1768          * Set mode:
1769          * 1: peer may send requests
1770          * 2: peer not allowed to send requests
1771          */
1772         if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
1773             *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1774         else
1775             *(ret++) = SSL_TLSEXT_HB_ENABLED;
1776 
1777     }
1778 # endif
1779 
1780 # ifndef OPENSSL_NO_NEXTPROTONEG
1781     next_proto_neg_seen = s->s3->next_proto_neg_seen;
1782     s->s3->next_proto_neg_seen = 0;
1783     if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) {
1784         const unsigned char *npa;
1785         unsigned int npalen;
1786         int r;
1787 
1788         r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
1789                                               s->
1790                                               ctx->next_protos_advertised_cb_arg);
1791         if (r == SSL_TLSEXT_ERR_OK) {
1792             if ((long)(limit - ret - 4 - npalen) < 0)
1793                 return NULL;
1794             s2n(TLSEXT_TYPE_next_proto_neg, ret);
1795             s2n(npalen, ret);
1796             memcpy(ret, npa, npalen);
1797             ret += npalen;
1798             s->s3->next_proto_neg_seen = 1;
1799         }
1800     }
1801 # endif
1802     if (!custom_ext_add(s, 1, &ret, limit, al))
1803         return NULL;
1804 
1805     if (s->s3->alpn_selected) {
1806         const unsigned char *selected = s->s3->alpn_selected;
1807         unsigned len = s->s3->alpn_selected_len;
1808 
1809         if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
1810             return NULL;
1811         s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
1812         s2n(3 + len, ret);
1813         s2n(1 + len, ret);
1814         *ret++ = len;
1815         memcpy(ret, selected, len);
1816         ret += len;
1817     }
1818 
1819     if ((extdatalen = ret - orig - 2) == 0)
1820         return orig;
1821 
1822     s2n(extdatalen, orig);
1823     return ret;
1824 }
1825 
1826 # ifndef OPENSSL_NO_EC
1827 /*-
1828  * ssl_check_for_safari attempts to fingerprint Safari using OS X
1829  * SecureTransport using the TLS extension block in |d|, of length |n|.
1830  * Safari, since 10.6, sends exactly these extensions, in this order:
1831  *   SNI,
1832  *   elliptic_curves
1833  *   ec_point_formats
1834  *
1835  * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1836  * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1837  * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
1838  * 10.8..10.8.3 (which don't work).
1839  */
1840 static void ssl_check_for_safari(SSL *s, const unsigned char *data,
1841                                  const unsigned char *limit)
1842 {
1843     unsigned short type, size;
1844     static const unsigned char kSafariExtensionsBlock[] = {
1845         0x00, 0x0a,             /* elliptic_curves extension */
1846         0x00, 0x08,             /* 8 bytes */
1847         0x00, 0x06,             /* 6 bytes of curve ids */
1848         0x00, 0x17,             /* P-256 */
1849         0x00, 0x18,             /* P-384 */
1850         0x00, 0x19,             /* P-521 */
1851 
1852         0x00, 0x0b,             /* ec_point_formats */
1853         0x00, 0x02,             /* 2 bytes */
1854         0x01,                   /* 1 point format */
1855         0x00,                   /* uncompressed */
1856     };
1857 
1858     /* The following is only present in TLS 1.2 */
1859     static const unsigned char kSafariTLS12ExtensionsBlock[] = {
1860         0x00, 0x0d,             /* signature_algorithms */
1861         0x00, 0x0c,             /* 12 bytes */
1862         0x00, 0x0a,             /* 10 bytes */
1863         0x05, 0x01,             /* SHA-384/RSA */
1864         0x04, 0x01,             /* SHA-256/RSA */
1865         0x02, 0x01,             /* SHA-1/RSA */
1866         0x04, 0x03,             /* SHA-256/ECDSA */
1867         0x02, 0x03,             /* SHA-1/ECDSA */
1868     };
1869 
1870     if (data >= (limit - 2))
1871         return;
1872     data += 2;
1873 
1874     if (data > (limit - 4))
1875         return;
1876     n2s(data, type);
1877     n2s(data, size);
1878 
1879     if (type != TLSEXT_TYPE_server_name)
1880         return;
1881 
1882     if (data + size > limit)
1883         return;
1884     data += size;
1885 
1886     if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
1887         const size_t len1 = sizeof(kSafariExtensionsBlock);
1888         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
1889 
1890         if (data + len1 + len2 != limit)
1891             return;
1892         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
1893             return;
1894         if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
1895             return;
1896     } else {
1897         const size_t len = sizeof(kSafariExtensionsBlock);
1898 
1899         if (data + len != limit)
1900             return;
1901         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
1902             return;
1903     }
1904 
1905     s->s3->is_probably_safari = 1;
1906 }
1907 # endif                         /* !OPENSSL_NO_EC */
1908 
1909 /*
1910  * tls1_alpn_handle_client_hello is called to save the ALPN extension in a
1911  * ClientHello.  data: the contents of the extension, not including the type
1912  * and length.  data_len: the number of bytes in |data| al: a pointer to the
1913  * alert value to send in the event of a non-zero return.  returns: 0 on
1914  * success.
1915  */
1916 static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
1917                                          unsigned data_len, int *al)
1918 {
1919     unsigned i;
1920     unsigned proto_len;
1921 
1922     if (data_len < 2)
1923         goto parse_error;
1924 
1925     /*
1926      * data should contain a uint16 length followed by a series of 8-bit,
1927      * length-prefixed strings.
1928      */
1929     i = ((unsigned)data[0]) << 8 | ((unsigned)data[1]);
1930     data_len -= 2;
1931     data += 2;
1932     if (data_len != i)
1933         goto parse_error;
1934 
1935     if (data_len < 2)
1936         goto parse_error;
1937 
1938     for (i = 0; i < data_len;) {
1939         proto_len = data[i];
1940         i++;
1941 
1942         if (proto_len == 0)
1943             goto parse_error;
1944 
1945         if (i + proto_len < i || i + proto_len > data_len)
1946             goto parse_error;
1947 
1948         i += proto_len;
1949     }
1950 
1951     if (s->cert->alpn_proposed != NULL)
1952         OPENSSL_free(s->cert->alpn_proposed);
1953     s->cert->alpn_proposed = OPENSSL_malloc(data_len);
1954     if (s->cert->alpn_proposed == NULL) {
1955         *al = SSL_AD_INTERNAL_ERROR;
1956         return -1;
1957     }
1958     memcpy(s->cert->alpn_proposed, data, data_len);
1959     s->cert->alpn_proposed_len = data_len;
1960     return 0;
1961 
1962  parse_error:
1963     *al = SSL_AD_DECODE_ERROR;
1964     return -1;
1965 }
1966 
1967 /*
1968  * Process the ALPN extension in a ClientHello.
1969  * ret: a pointer to the TLSEXT return value: SSL_TLSEXT_ERR_*
1970  * al: a pointer to the alert value to send in the event of a failure.
1971  * returns 1 on success, 0 on failure: al/ret set only on failure
1972  */
1973 static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al)
1974 {
1975     const unsigned char *selected = NULL;
1976     unsigned char selected_len = 0;
1977 
1978     if (s->ctx->alpn_select_cb != NULL && s->cert->alpn_proposed != NULL) {
1979         int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
1980                                        s->cert->alpn_proposed,
1981                                        s->cert->alpn_proposed_len,
1982                                        s->ctx->alpn_select_cb_arg);
1983 
1984         if (r == SSL_TLSEXT_ERR_OK) {
1985             OPENSSL_free(s->s3->alpn_selected);
1986             s->s3->alpn_selected = OPENSSL_malloc(selected_len);
1987             if (s->s3->alpn_selected == NULL) {
1988                 *al = SSL_AD_INTERNAL_ERROR;
1989                 *ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1990                 return 0;
1991             }
1992             memcpy(s->s3->alpn_selected, selected, selected_len);
1993             s->s3->alpn_selected_len = selected_len;
1994 # ifndef OPENSSL_NO_NEXTPROTONEG
1995             /* ALPN takes precedence over NPN. */
1996             s->s3->next_proto_neg_seen = 0;
1997 # endif
1998         }
1999     }
2000 
2001     return 1;
2002 }
2003 
2004 static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
2005                                        unsigned char *limit, int *al)
2006 {
2007     unsigned short type;
2008     unsigned short size;
2009     unsigned short len;
2010     unsigned char *data = *p;
2011     int renegotiate_seen = 0;
2012 
2013     s->servername_done = 0;
2014     s->tlsext_status_type = -1;
2015 # ifndef OPENSSL_NO_NEXTPROTONEG
2016     s->s3->next_proto_neg_seen = 0;
2017 # endif
2018 
2019     if (s->s3->alpn_selected) {
2020         OPENSSL_free(s->s3->alpn_selected);
2021         s->s3->alpn_selected = NULL;
2022     }
2023     s->s3->alpn_selected_len = 0;
2024     if (s->cert->alpn_proposed) {
2025         OPENSSL_free(s->cert->alpn_proposed);
2026         s->cert->alpn_proposed = NULL;
2027     }
2028     s->cert->alpn_proposed_len = 0;
2029 # ifndef OPENSSL_NO_HEARTBEATS
2030     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2031                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2032 # endif
2033 
2034 # ifndef OPENSSL_NO_EC
2035     if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
2036         ssl_check_for_safari(s, data, limit);
2037 # endif                         /* !OPENSSL_NO_EC */
2038 
2039     /* Clear any signature algorithms extension received */
2040     if (s->cert->peer_sigalgs) {
2041         OPENSSL_free(s->cert->peer_sigalgs);
2042         s->cert->peer_sigalgs = NULL;
2043     }
2044 # ifndef OPENSSL_NO_SRP
2045     if (s->srp_ctx.login != NULL) {
2046         OPENSSL_free(s->srp_ctx.login);
2047         s->srp_ctx.login = NULL;
2048     }
2049 # endif
2050 
2051     s->srtp_profile = NULL;
2052 
2053     if (data == limit)
2054         goto ri_check;
2055 
2056     if (data > (limit - 2))
2057         goto err;
2058 
2059     n2s(data, len);
2060 
2061     if (data + len != limit)
2062         goto err;
2063 
2064     while (data <= (limit - 4)) {
2065         n2s(data, type);
2066         n2s(data, size);
2067 
2068         if (data + size > (limit))
2069             goto err;
2070 # if 0
2071         fprintf(stderr, "Received extension type %d size %d\n", type, size);
2072 # endif
2073         if (s->tlsext_debug_cb)
2074             s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
2075 /*-
2076  * The servername extension is treated as follows:
2077  *
2078  * - Only the hostname type is supported with a maximum length of 255.
2079  * - The servername is rejected if too long or if it contains zeros,
2080  *   in which case an fatal alert is generated.
2081  * - The servername field is maintained together with the session cache.
2082  * - When a session is resumed, the servername call back invoked in order
2083  *   to allow the application to position itself to the right context.
2084  * - The servername is acknowledged if it is new for a session or when
2085  *   it is identical to a previously used for the same session.
2086  *   Applications can control the behaviour.  They can at any time
2087  *   set a 'desirable' servername for a new SSL object. This can be the
2088  *   case for example with HTTPS when a Host: header field is received and
2089  *   a renegotiation is requested. In this case, a possible servername
2090  *   presented in the new client hello is only acknowledged if it matches
2091  *   the value of the Host: field.
2092  * - Applications must  use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
2093  *   if they provide for changing an explicit servername context for the
2094  *   session, i.e. when the session has been established with a servername
2095  *   extension.
2096  * - On session reconnect, the servername extension may be absent.
2097  *
2098  */
2099 
2100         if (type == TLSEXT_TYPE_server_name) {
2101             unsigned char *sdata;
2102             int servname_type;
2103             int dsize;
2104 
2105             if (size < 2)
2106                 goto err;
2107             n2s(data, dsize);
2108             size -= 2;
2109             if (dsize > size)
2110                 goto err;
2111 
2112             sdata = data;
2113             while (dsize > 3) {
2114                 servname_type = *(sdata++);
2115                 n2s(sdata, len);
2116                 dsize -= 3;
2117 
2118                 if (len > dsize)
2119                     goto err;
2120 
2121                 if (s->servername_done == 0)
2122                     switch (servname_type) {
2123                     case TLSEXT_NAMETYPE_host_name:
2124                         if (!s->hit) {
2125                             if (s->session->tlsext_hostname)
2126                                 goto err;
2127 
2128                             if (len > TLSEXT_MAXLEN_host_name) {
2129                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2130                                 return 0;
2131                             }
2132                             if ((s->session->tlsext_hostname =
2133                                  OPENSSL_malloc(len + 1)) == NULL) {
2134                                 *al = TLS1_AD_INTERNAL_ERROR;
2135                                 return 0;
2136                             }
2137                             memcpy(s->session->tlsext_hostname, sdata, len);
2138                             s->session->tlsext_hostname[len] = '\0';
2139                             if (strlen(s->session->tlsext_hostname) != len) {
2140                                 OPENSSL_free(s->session->tlsext_hostname);
2141                                 s->session->tlsext_hostname = NULL;
2142                                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2143                                 return 0;
2144                             }
2145                             s->servername_done = 1;
2146 
2147                         } else
2148                             s->servername_done = s->session->tlsext_hostname
2149                                 && strlen(s->session->tlsext_hostname) == len
2150                                 && strncmp(s->session->tlsext_hostname,
2151                                            (char *)sdata, len) == 0;
2152 
2153                         break;
2154 
2155                     default:
2156                         break;
2157                     }
2158 
2159                 dsize -= len;
2160             }
2161             if (dsize != 0)
2162                 goto err;
2163 
2164         }
2165 # ifndef OPENSSL_NO_SRP
2166         else if (type == TLSEXT_TYPE_srp) {
2167             if (size == 0 || ((len = data[0])) != (size - 1))
2168                 goto err;
2169             if (s->srp_ctx.login != NULL)
2170                 goto err;
2171             if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL)
2172                 return -1;
2173             memcpy(s->srp_ctx.login, &data[1], len);
2174             s->srp_ctx.login[len] = '\0';
2175 
2176             if (strlen(s->srp_ctx.login) != len)
2177                 goto err;
2178         }
2179 # endif
2180 
2181 # ifndef OPENSSL_NO_EC
2182         else if (type == TLSEXT_TYPE_ec_point_formats) {
2183             unsigned char *sdata = data;
2184             int ecpointformatlist_length = *(sdata++);
2185 
2186             if (ecpointformatlist_length != size - 1 ||
2187                 ecpointformatlist_length < 1)
2188                 goto err;
2189             if (!s->hit) {
2190                 if (s->session->tlsext_ecpointformatlist) {
2191                     OPENSSL_free(s->session->tlsext_ecpointformatlist);
2192                     s->session->tlsext_ecpointformatlist = NULL;
2193                 }
2194                 s->session->tlsext_ecpointformatlist_length = 0;
2195                 if ((s->session->tlsext_ecpointformatlist =
2196                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2197                     *al = TLS1_AD_INTERNAL_ERROR;
2198                     return 0;
2199                 }
2200                 s->session->tlsext_ecpointformatlist_length =
2201                     ecpointformatlist_length;
2202                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2203                        ecpointformatlist_length);
2204             }
2205 #  if 0
2206             fprintf(stderr,
2207                     "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
2208                     s->session->tlsext_ecpointformatlist_length);
2209             sdata = s->session->tlsext_ecpointformatlist;
2210             for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2211                 fprintf(stderr, "%i ", *(sdata++));
2212             fprintf(stderr, "\n");
2213 #  endif
2214         } else if (type == TLSEXT_TYPE_elliptic_curves) {
2215             unsigned char *sdata = data;
2216             int ellipticcurvelist_length = (*(sdata++) << 8);
2217             ellipticcurvelist_length += (*(sdata++));
2218 
2219             if (ellipticcurvelist_length != size - 2 ||
2220                 ellipticcurvelist_length < 1 ||
2221                 /* Each NamedCurve is 2 bytes. */
2222                 ellipticcurvelist_length & 1)
2223                     goto err;
2224 
2225             if (!s->hit) {
2226                 if (s->session->tlsext_ellipticcurvelist)
2227                     goto err;
2228 
2229                 s->session->tlsext_ellipticcurvelist_length = 0;
2230                 if ((s->session->tlsext_ellipticcurvelist =
2231                      OPENSSL_malloc(ellipticcurvelist_length)) == NULL) {
2232                     *al = TLS1_AD_INTERNAL_ERROR;
2233                     return 0;
2234                 }
2235                 s->session->tlsext_ellipticcurvelist_length =
2236                     ellipticcurvelist_length;
2237                 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
2238                        ellipticcurvelist_length);
2239             }
2240 #  if 0
2241             fprintf(stderr,
2242                     "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
2243                     s->session->tlsext_ellipticcurvelist_length);
2244             sdata = s->session->tlsext_ellipticcurvelist;
2245             for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
2246                 fprintf(stderr, "%i ", *(sdata++));
2247             fprintf(stderr, "\n");
2248 #  endif
2249         }
2250 # endif                         /* OPENSSL_NO_EC */
2251 # ifdef TLSEXT_TYPE_opaque_prf_input
2252         else if (type == TLSEXT_TYPE_opaque_prf_input) {
2253             unsigned char *sdata = data;
2254 
2255             if (size < 2) {
2256                 *al = SSL_AD_DECODE_ERROR;
2257                 return 0;
2258             }
2259             n2s(sdata, s->s3->client_opaque_prf_input_len);
2260             if (s->s3->client_opaque_prf_input_len != size - 2) {
2261                 *al = SSL_AD_DECODE_ERROR;
2262                 return 0;
2263             }
2264 
2265             if (s->s3->client_opaque_prf_input != NULL) {
2266                 /* shouldn't really happen */
2267                 OPENSSL_free(s->s3->client_opaque_prf_input);
2268             }
2269 
2270             /* dummy byte just to get non-NULL */
2271             if (s->s3->client_opaque_prf_input_len == 0)
2272                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2273             else
2274                 s->s3->client_opaque_prf_input =
2275                     BUF_memdup(sdata, s->s3->client_opaque_prf_input_len);
2276             if (s->s3->client_opaque_prf_input == NULL) {
2277                 *al = TLS1_AD_INTERNAL_ERROR;
2278                 return 0;
2279             }
2280         }
2281 # endif
2282         else if (type == TLSEXT_TYPE_session_ticket) {
2283             if (s->tls_session_ticket_ext_cb &&
2284                 !s->tls_session_ticket_ext_cb(s, data, size,
2285                                               s->tls_session_ticket_ext_cb_arg))
2286             {
2287                 *al = TLS1_AD_INTERNAL_ERROR;
2288                 return 0;
2289             }
2290         } else if (type == TLSEXT_TYPE_renegotiate) {
2291             if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al))
2292                 return 0;
2293             renegotiate_seen = 1;
2294         } else if (type == TLSEXT_TYPE_signature_algorithms) {
2295             int dsize;
2296             if (s->cert->peer_sigalgs || size < 2)
2297                 goto err;
2298             n2s(data, dsize);
2299             size -= 2;
2300             if (dsize != size || dsize & 1 || !dsize)
2301                 goto err;
2302             if (!tls1_save_sigalgs(s, data, dsize))
2303                 goto err;
2304         } else if (type == TLSEXT_TYPE_status_request) {
2305 
2306             if (size < 5)
2307                 goto err;
2308 
2309             s->tlsext_status_type = *data++;
2310             size--;
2311             if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
2312                 const unsigned char *sdata;
2313                 int dsize;
2314                 /* Read in responder_id_list */
2315                 n2s(data, dsize);
2316                 size -= 2;
2317                 if (dsize > size)
2318                     goto err;
2319                 while (dsize > 0) {
2320                     OCSP_RESPID *id;
2321                     int idsize;
2322                     if (dsize < 4)
2323                         goto err;
2324                     n2s(data, idsize);
2325                     dsize -= 2 + idsize;
2326                     size -= 2 + idsize;
2327                     if (dsize < 0)
2328                         goto err;
2329                     sdata = data;
2330                     data += idsize;
2331                     id = d2i_OCSP_RESPID(NULL, &sdata, idsize);
2332                     if (!id)
2333                         goto err;
2334                     if (data != sdata) {
2335                         OCSP_RESPID_free(id);
2336                         goto err;
2337                     }
2338                     if (!s->tlsext_ocsp_ids
2339                         && !(s->tlsext_ocsp_ids =
2340                              sk_OCSP_RESPID_new_null())) {
2341                         OCSP_RESPID_free(id);
2342                         *al = SSL_AD_INTERNAL_ERROR;
2343                         return 0;
2344                     }
2345                     if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
2346                         OCSP_RESPID_free(id);
2347                         *al = SSL_AD_INTERNAL_ERROR;
2348                         return 0;
2349                     }
2350                 }
2351 
2352                 /* Read in request_extensions */
2353                 if (size < 2)
2354                     goto err;
2355                 n2s(data, dsize);
2356                 size -= 2;
2357                 if (dsize != size)
2358                     goto err;
2359                 sdata = data;
2360                 if (dsize > 0) {
2361                     if (s->tlsext_ocsp_exts) {
2362                         sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
2363                                                    X509_EXTENSION_free);
2364                     }
2365 
2366                     s->tlsext_ocsp_exts =
2367                         d2i_X509_EXTENSIONS(NULL, &sdata, dsize);
2368                     if (!s->tlsext_ocsp_exts || (data + dsize != sdata))
2369                         goto err;
2370                 }
2371             }
2372             /*
2373              * We don't know what to do with any other type * so ignore it.
2374              */
2375             else
2376                 s->tlsext_status_type = -1;
2377         }
2378 # ifndef OPENSSL_NO_HEARTBEATS
2379         else if (type == TLSEXT_TYPE_heartbeat) {
2380             switch (data[0]) {
2381             case 0x01:         /* Client allows us to send HB requests */
2382                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2383                 break;
2384             case 0x02:         /* Client doesn't accept HB requests */
2385                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2386                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2387                 break;
2388             default:
2389                 *al = SSL_AD_ILLEGAL_PARAMETER;
2390                 return 0;
2391             }
2392         }
2393 # endif
2394 # ifndef OPENSSL_NO_NEXTPROTONEG
2395         else if (type == TLSEXT_TYPE_next_proto_neg &&
2396                  s->s3->tmp.finish_md_len == 0) {
2397             /*-
2398              * We shouldn't accept this extension on a
2399              * renegotiation.
2400              *
2401              * s->new_session will be set on renegotiation, but we
2402              * probably shouldn't rely that it couldn't be set on
2403              * the initial renegotation too in certain cases (when
2404              * there's some other reason to disallow resuming an
2405              * earlier session -- the current code won't be doing
2406              * anything like that, but this might change).
2407              *
2408              * A valid sign that there's been a previous handshake
2409              * in this connection is if s->s3->tmp.finish_md_len >
2410              * 0.  (We are talking about a check that will happen
2411              * in the Hello protocol round, well before a new
2412              * Finished message could have been computed.)
2413              */
2414             s->s3->next_proto_neg_seen = 1;
2415         }
2416 # endif
2417 
2418         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
2419                  s->s3->tmp.finish_md_len == 0) {
2420             if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
2421                 return 0;
2422         }
2423 
2424         /* session ticket processed earlier */
2425 # ifndef OPENSSL_NO_SRTP
2426         else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
2427                  && type == TLSEXT_TYPE_use_srtp) {
2428             if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
2429                 return 0;
2430         }
2431 # endif
2432 
2433         data += size;
2434     }
2435 
2436     /* Spurious data on the end */
2437     if (data != limit)
2438         goto err;
2439 
2440     *p = data;
2441 
2442  ri_check:
2443 
2444     /* Need RI if renegotiating */
2445 
2446     if (!renegotiate_seen && s->renegotiate &&
2447         !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2448         *al = SSL_AD_HANDSHAKE_FAILURE;
2449         SSLerr(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT,
2450                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2451         return 0;
2452     }
2453 
2454     return 1;
2455 err:
2456     *al = SSL_AD_DECODE_ERROR;
2457     return 0;
2458 }
2459 
2460 /*
2461  * Parse any custom extensions found.  "data" is the start of the extension data
2462  * and "limit" is the end of the record. TODO: add strict syntax checking.
2463  */
2464 
2465 static int ssl_scan_clienthello_custom_tlsext(SSL *s,
2466                                               const unsigned char *data,
2467                                               const unsigned char *limit,
2468                                               int *al)
2469 {
2470     unsigned short type, size, len;
2471     /* If resumed session or no custom extensions nothing to do */
2472     if (s->hit || s->cert->srv_ext.meths_count == 0)
2473         return 1;
2474 
2475     if (data >= limit - 2)
2476         return 1;
2477     n2s(data, len);
2478 
2479     if (data > limit - len)
2480         return 1;
2481 
2482     while (data <= limit - 4) {
2483         n2s(data, type);
2484         n2s(data, size);
2485 
2486         if (data + size > limit)
2487             return 1;
2488         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
2489             return 0;
2490 
2491         data += size;
2492     }
2493 
2494     return 1;
2495 }
2496 
2497 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
2498                                  unsigned char *limit)
2499 {
2500     int al = -1;
2501     unsigned char *ptmp = *p;
2502     /*
2503      * Internally supported extensions are parsed first so SNI can be handled
2504      * before custom extensions. An application processing SNI will typically
2505      * switch the parent context using SSL_set_SSL_CTX and custom extensions
2506      * need to be handled by the new SSL_CTX structure.
2507      */
2508     if (ssl_scan_clienthello_tlsext(s, p, limit, &al) <= 0) {
2509         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2510         return 0;
2511     }
2512 
2513     if (ssl_check_clienthello_tlsext_early(s) <= 0) {
2514         SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, SSL_R_CLIENTHELLO_TLSEXT);
2515         return 0;
2516     }
2517 
2518     custom_ext_init(&s->cert->srv_ext);
2519     if (ssl_scan_clienthello_custom_tlsext(s, ptmp, limit, &al) <= 0) {
2520         ssl3_send_alert(s, SSL3_AL_FATAL, al);
2521         return 0;
2522     }
2523 
2524     return 1;
2525 }
2526 
2527 # ifndef OPENSSL_NO_NEXTPROTONEG
2528 /*
2529  * ssl_next_proto_validate validates a Next Protocol Negotiation block. No
2530  * elements of zero length are allowed and the set of elements must exactly
2531  * fill the length of the block.
2532  */
2533 static char ssl_next_proto_validate(unsigned char *d, unsigned len)
2534 {
2535     unsigned int off = 0;
2536 
2537     while (off < len) {
2538         if (d[off] == 0)
2539             return 0;
2540         off += d[off];
2541         off++;
2542     }
2543 
2544     return off == len;
2545 }
2546 # endif
2547 
2548 static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
2549                                        unsigned char *d, int n, int *al)
2550 {
2551     unsigned short length;
2552     unsigned short type;
2553     unsigned short size;
2554     unsigned char *data = *p;
2555     int tlsext_servername = 0;
2556     int renegotiate_seen = 0;
2557 
2558 # ifndef OPENSSL_NO_NEXTPROTONEG
2559     s->s3->next_proto_neg_seen = 0;
2560 # endif
2561     s->tlsext_ticket_expected = 0;
2562 
2563     if (s->s3->alpn_selected) {
2564         OPENSSL_free(s->s3->alpn_selected);
2565         s->s3->alpn_selected = NULL;
2566     }
2567 # ifndef OPENSSL_NO_HEARTBEATS
2568     s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
2569                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
2570 # endif
2571 
2572     if (data >= (d + n - 2))
2573         goto ri_check;
2574 
2575     n2s(data, length);
2576     if (data + length != d + n) {
2577         *al = SSL_AD_DECODE_ERROR;
2578         return 0;
2579     }
2580 
2581     while (data <= (d + n - 4)) {
2582         n2s(data, type);
2583         n2s(data, size);
2584 
2585         if (data + size > (d + n))
2586             goto ri_check;
2587 
2588         if (s->tlsext_debug_cb)
2589             s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg);
2590 
2591         if (type == TLSEXT_TYPE_server_name) {
2592             if (s->tlsext_hostname == NULL || size > 0) {
2593                 *al = TLS1_AD_UNRECOGNIZED_NAME;
2594                 return 0;
2595             }
2596             tlsext_servername = 1;
2597         }
2598 # ifndef OPENSSL_NO_EC
2599         else if (type == TLSEXT_TYPE_ec_point_formats) {
2600             unsigned char *sdata = data;
2601             int ecpointformatlist_length = *(sdata++);
2602 
2603             if (ecpointformatlist_length != size - 1) {
2604                 *al = TLS1_AD_DECODE_ERROR;
2605                 return 0;
2606             }
2607             if (!s->hit) {
2608                 s->session->tlsext_ecpointformatlist_length = 0;
2609                 if (s->session->tlsext_ecpointformatlist != NULL)
2610                     OPENSSL_free(s->session->tlsext_ecpointformatlist);
2611                 if ((s->session->tlsext_ecpointformatlist =
2612                      OPENSSL_malloc(ecpointformatlist_length)) == NULL) {
2613                     *al = TLS1_AD_INTERNAL_ERROR;
2614                     return 0;
2615                 }
2616                 s->session->tlsext_ecpointformatlist_length =
2617                     ecpointformatlist_length;
2618                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
2619                        ecpointformatlist_length);
2620             }
2621 #  if 0
2622             fprintf(stderr,
2623                     "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
2624             sdata = s->session->tlsext_ecpointformatlist;
2625             for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
2626                 fprintf(stderr, "%i ", *(sdata++));
2627             fprintf(stderr, "\n");
2628 #  endif
2629         }
2630 # endif                         /* OPENSSL_NO_EC */
2631 
2632         else if (type == TLSEXT_TYPE_session_ticket) {
2633             if (s->tls_session_ticket_ext_cb &&
2634                 !s->tls_session_ticket_ext_cb(s, data, size,
2635                                               s->tls_session_ticket_ext_cb_arg))
2636             {
2637                 *al = TLS1_AD_INTERNAL_ERROR;
2638                 return 0;
2639             }
2640             if ((SSL_get_options(s) & SSL_OP_NO_TICKET)
2641                 || (size > 0)) {
2642                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2643                 return 0;
2644             }
2645             s->tlsext_ticket_expected = 1;
2646         }
2647 # ifdef TLSEXT_TYPE_opaque_prf_input
2648         else if (type == TLSEXT_TYPE_opaque_prf_input) {
2649             unsigned char *sdata = data;
2650 
2651             if (size < 2) {
2652                 *al = SSL_AD_DECODE_ERROR;
2653                 return 0;
2654             }
2655             n2s(sdata, s->s3->server_opaque_prf_input_len);
2656             if (s->s3->server_opaque_prf_input_len != size - 2) {
2657                 *al = SSL_AD_DECODE_ERROR;
2658                 return 0;
2659             }
2660 
2661             if (s->s3->server_opaque_prf_input != NULL) {
2662                 /* shouldn't really happen */
2663                 OPENSSL_free(s->s3->server_opaque_prf_input);
2664             }
2665             if (s->s3->server_opaque_prf_input_len == 0) {
2666                 /* dummy byte just to get non-NULL */
2667                 s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2668             } else {
2669                 s->s3->server_opaque_prf_input =
2670                     BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
2671             }
2672 
2673             if (s->s3->server_opaque_prf_input == NULL) {
2674                 *al = TLS1_AD_INTERNAL_ERROR;
2675                 return 0;
2676             }
2677         }
2678 # endif
2679         else if (type == TLSEXT_TYPE_status_request) {
2680             /*
2681              * MUST be empty and only sent if we've requested a status
2682              * request message.
2683              */
2684             if ((s->tlsext_status_type == -1) || (size > 0)) {
2685                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2686                 return 0;
2687             }
2688             /* Set flag to expect CertificateStatus message */
2689             s->tlsext_status_expected = 1;
2690         }
2691 # ifndef OPENSSL_NO_NEXTPROTONEG
2692         else if (type == TLSEXT_TYPE_next_proto_neg &&
2693                  s->s3->tmp.finish_md_len == 0) {
2694             unsigned char *selected;
2695             unsigned char selected_len;
2696 
2697             /* We must have requested it. */
2698             if (s->ctx->next_proto_select_cb == NULL) {
2699                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2700                 return 0;
2701             }
2702             /* The data must be valid */
2703             if (!ssl_next_proto_validate(data, size)) {
2704                 *al = TLS1_AD_DECODE_ERROR;
2705                 return 0;
2706             }
2707             if (s->
2708                 ctx->next_proto_select_cb(s, &selected, &selected_len, data,
2709                                           size,
2710                                           s->ctx->next_proto_select_cb_arg) !=
2711                 SSL_TLSEXT_ERR_OK) {
2712                 *al = TLS1_AD_INTERNAL_ERROR;
2713                 return 0;
2714             }
2715             s->next_proto_negotiated = OPENSSL_malloc(selected_len);
2716             if (!s->next_proto_negotiated) {
2717                 *al = TLS1_AD_INTERNAL_ERROR;
2718                 return 0;
2719             }
2720             memcpy(s->next_proto_negotiated, selected, selected_len);
2721             s->next_proto_negotiated_len = selected_len;
2722             s->s3->next_proto_neg_seen = 1;
2723         }
2724 # endif
2725 
2726         else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) {
2727             unsigned len;
2728 
2729             /* We must have requested it. */
2730             if (!s->cert->alpn_sent) {
2731                 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
2732                 return 0;
2733             }
2734             if (size < 4) {
2735                 *al = TLS1_AD_DECODE_ERROR;
2736                 return 0;
2737             }
2738             /*-
2739              * The extension data consists of:
2740              *   uint16 list_length
2741              *   uint8 proto_length;
2742              *   uint8 proto[proto_length];
2743              */
2744             len = data[0];
2745             len <<= 8;
2746             len |= data[1];
2747             if (len != (unsigned)size - 2) {
2748                 *al = TLS1_AD_DECODE_ERROR;
2749                 return 0;
2750             }
2751             len = data[2];
2752             if (len != (unsigned)size - 3) {
2753                 *al = TLS1_AD_DECODE_ERROR;
2754                 return 0;
2755             }
2756             if (s->s3->alpn_selected)
2757                 OPENSSL_free(s->s3->alpn_selected);
2758             s->s3->alpn_selected = OPENSSL_malloc(len);
2759             if (!s->s3->alpn_selected) {
2760                 *al = TLS1_AD_INTERNAL_ERROR;
2761                 return 0;
2762             }
2763             memcpy(s->s3->alpn_selected, data + 3, len);
2764             s->s3->alpn_selected_len = len;
2765         }
2766 
2767         else if (type == TLSEXT_TYPE_renegotiate) {
2768             if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
2769                 return 0;
2770             renegotiate_seen = 1;
2771         }
2772 # ifndef OPENSSL_NO_HEARTBEATS
2773         else if (type == TLSEXT_TYPE_heartbeat) {
2774             switch (data[0]) {
2775             case 0x01:         /* Server allows us to send HB requests */
2776                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2777                 break;
2778             case 0x02:         /* Server doesn't accept HB requests */
2779                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
2780                 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
2781                 break;
2782             default:
2783                 *al = SSL_AD_ILLEGAL_PARAMETER;
2784                 return 0;
2785             }
2786         }
2787 # endif
2788 # ifndef OPENSSL_NO_SRTP
2789         else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) {
2790             if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al))
2791                 return 0;
2792         }
2793 # endif
2794         /*
2795          * If this extension type was not otherwise handled, but matches a
2796          * custom_cli_ext_record, then send it to the c callback
2797          */
2798         else if (custom_ext_parse(s, 0, type, data, size, al) <= 0)
2799             return 0;
2800 
2801         data += size;
2802     }
2803 
2804     if (data != d + n) {
2805         *al = SSL_AD_DECODE_ERROR;
2806         return 0;
2807     }
2808 
2809     if (!s->hit && tlsext_servername == 1) {
2810         if (s->tlsext_hostname) {
2811             if (s->session->tlsext_hostname == NULL) {
2812                 s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname);
2813                 if (!s->session->tlsext_hostname) {
2814                     *al = SSL_AD_UNRECOGNIZED_NAME;
2815                     return 0;
2816                 }
2817             } else {
2818                 *al = SSL_AD_DECODE_ERROR;
2819                 return 0;
2820             }
2821         }
2822     }
2823 
2824     *p = data;
2825 
2826  ri_check:
2827 
2828     /*
2829      * Determine if we need to see RI. Strictly speaking if we want to avoid
2830      * an attack we should *always* see RI even on initial server hello
2831      * because the client doesn't see any renegotiation during an attack.
2832      * However this would mean we could not connect to any server which
2833      * doesn't support RI so for the immediate future tolerate RI absence on
2834      * initial connect only.
2835      */
2836     if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
2837         && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
2838         *al = SSL_AD_HANDSHAKE_FAILURE;
2839         SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
2840                SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
2841         return 0;
2842     }
2843 
2844     return 1;
2845 }
2846 
2847 int ssl_prepare_clienthello_tlsext(SSL *s)
2848 {
2849 
2850 # ifdef TLSEXT_TYPE_opaque_prf_input
2851     {
2852         int r = 1;
2853 
2854         if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2855             r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2856                                                          s->
2857                                                          ctx->tlsext_opaque_prf_input_callback_arg);
2858             if (!r)
2859                 return -1;
2860         }
2861 
2862         if (s->tlsext_opaque_prf_input != NULL) {
2863             if (s->s3->client_opaque_prf_input != NULL) {
2864                 /* shouldn't really happen */
2865                 OPENSSL_free(s->s3->client_opaque_prf_input);
2866             }
2867 
2868             if (s->tlsext_opaque_prf_input_len == 0) {
2869                 /* dummy byte just to get non-NULL */
2870                 s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
2871             } else {
2872                 s->s3->client_opaque_prf_input =
2873                     BUF_memdup(s->tlsext_opaque_prf_input,
2874                                s->tlsext_opaque_prf_input_len);
2875             }
2876             if (s->s3->client_opaque_prf_input == NULL) {
2877                 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,
2878                        ERR_R_MALLOC_FAILURE);
2879                 return -1;
2880             }
2881             s->s3->client_opaque_prf_input_len =
2882                 s->tlsext_opaque_prf_input_len;
2883         }
2884 
2885         if (r == 2)
2886             /*
2887              * at callback's request, insist on receiving an appropriate
2888              * server opaque PRF input
2889              */
2890             s->s3->server_opaque_prf_input_len =
2891                 s->tlsext_opaque_prf_input_len;
2892     }
2893 # endif
2894 
2895     s->cert->alpn_sent = 0;
2896     return 1;
2897 }
2898 
2899 int ssl_prepare_serverhello_tlsext(SSL *s)
2900 {
2901     return 1;
2902 }
2903 
2904 static int ssl_check_clienthello_tlsext_early(SSL *s)
2905 {
2906     int ret = SSL_TLSEXT_ERR_NOACK;
2907     int al = SSL_AD_UNRECOGNIZED_NAME;
2908 
2909 # ifndef OPENSSL_NO_EC
2910     /*
2911      * The handling of the ECPointFormats extension is done elsewhere, namely
2912      * in ssl3_choose_cipher in s3_lib.c.
2913      */
2914     /*
2915      * The handling of the EllipticCurves extension is done elsewhere, namely
2916      * in ssl3_choose_cipher in s3_lib.c.
2917      */
2918 # endif
2919 
2920     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
2921         ret =
2922             s->ctx->tlsext_servername_callback(s, &al,
2923                                                s->ctx->tlsext_servername_arg);
2924     else if (s->initial_ctx != NULL
2925              && s->initial_ctx->tlsext_servername_callback != 0)
2926         ret =
2927             s->initial_ctx->tlsext_servername_callback(s, &al,
2928                                                        s->
2929                                                        initial_ctx->tlsext_servername_arg);
2930 
2931 # ifdef TLSEXT_TYPE_opaque_prf_input
2932     {
2933         /*
2934          * This sort of belongs into ssl_prepare_serverhello_tlsext(), but we
2935          * might be sending an alert in response to the client hello, so this
2936          * has to happen here in ssl_check_clienthello_tlsext_early().
2937          */
2938 
2939         int r = 1;
2940 
2941         if (s->ctx->tlsext_opaque_prf_input_callback != 0) {
2942             r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0,
2943                                                          s->
2944                                                          ctx->tlsext_opaque_prf_input_callback_arg);
2945             if (!r) {
2946                 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2947                 al = SSL_AD_INTERNAL_ERROR;
2948                 goto err;
2949             }
2950         }
2951 
2952         if (s->s3->server_opaque_prf_input != NULL) {
2953             /* shouldn't really happen */
2954             OPENSSL_free(s->s3->server_opaque_prf_input);
2955         }
2956         s->s3->server_opaque_prf_input = NULL;
2957 
2958         if (s->tlsext_opaque_prf_input != NULL) {
2959             if (s->s3->client_opaque_prf_input != NULL &&
2960                 s->s3->client_opaque_prf_input_len ==
2961                 s->tlsext_opaque_prf_input_len) {
2962                 /*
2963                  * can only use this extension if we have a server opaque PRF
2964                  * input of the same length as the client opaque PRF input!
2965                  */
2966 
2967                 if (s->tlsext_opaque_prf_input_len == 0) {
2968                     /* dummy byte just to get non-NULL */
2969                     s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
2970                 } else {
2971                     s->s3->server_opaque_prf_input =
2972                         BUF_memdup(s->tlsext_opaque_prf_input,
2973                                    s->tlsext_opaque_prf_input_len);
2974                 }
2975                 if (s->s3->server_opaque_prf_input == NULL) {
2976                     ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2977                     al = SSL_AD_INTERNAL_ERROR;
2978                     goto err;
2979                 }
2980                 s->s3->server_opaque_prf_input_len =
2981                     s->tlsext_opaque_prf_input_len;
2982             }
2983         }
2984 
2985         if (r == 2 && s->s3->server_opaque_prf_input == NULL) {
2986             /*
2987              * The callback wants to enforce use of the extension, but we
2988              * can't do that with the client opaque PRF input; abort the
2989              * handshake.
2990              */
2991             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2992             al = SSL_AD_HANDSHAKE_FAILURE;
2993         }
2994     }
2995 
2996  err:
2997 # endif
2998     switch (ret) {
2999     case SSL_TLSEXT_ERR_ALERT_FATAL:
3000         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3001         return -1;
3002 
3003     case SSL_TLSEXT_ERR_ALERT_WARNING:
3004         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3005         return 1;
3006 
3007     case SSL_TLSEXT_ERR_NOACK:
3008         s->servername_done = 0;
3009     default:
3010         return 1;
3011     }
3012 }
3013 
3014 int tls1_set_server_sigalgs(SSL *s)
3015 {
3016     int al;
3017     size_t i;
3018     /* Clear any shared sigtnature algorithms */
3019     if (s->cert->shared_sigalgs) {
3020         OPENSSL_free(s->cert->shared_sigalgs);
3021         s->cert->shared_sigalgs = NULL;
3022         s->cert->shared_sigalgslen = 0;
3023     }
3024     /* Clear certificate digests and validity flags */
3025     for (i = 0; i < SSL_PKEY_NUM; i++) {
3026         s->cert->pkeys[i].digest = NULL;
3027         s->cert->pkeys[i].valid_flags = 0;
3028     }
3029 
3030     /* If sigalgs received process it. */
3031     if (s->cert->peer_sigalgs) {
3032         if (!tls1_process_sigalgs(s)) {
3033             SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS, ERR_R_MALLOC_FAILURE);
3034             al = SSL_AD_INTERNAL_ERROR;
3035             goto err;
3036         }
3037         /* Fatal error is no shared signature algorithms */
3038         if (!s->cert->shared_sigalgs) {
3039             SSLerr(SSL_F_TLS1_SET_SERVER_SIGALGS,
3040                    SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
3041             al = SSL_AD_ILLEGAL_PARAMETER;
3042             goto err;
3043         }
3044     } else
3045         ssl_cert_set_default_md(s->cert);
3046     return 1;
3047  err:
3048     ssl3_send_alert(s, SSL3_AL_FATAL, al);
3049     return 0;
3050 }
3051 
3052 int ssl_check_clienthello_tlsext_late(SSL *s)
3053 {
3054     int ret = SSL_TLSEXT_ERR_OK;
3055     int al;
3056 
3057     /*
3058      * If status request then ask callback what to do. Note: this must be
3059      * called after servername callbacks in case the certificate has changed,
3060      * and must be called after the cipher has been chosen because this may
3061      * influence which certificate is sent
3062      */
3063     if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
3064         int r;
3065         CERT_PKEY *certpkey;
3066         certpkey = ssl_get_server_send_pkey(s);
3067         /* If no certificate can't return certificate status */
3068         if (certpkey == NULL) {
3069             s->tlsext_status_expected = 0;
3070             return 1;
3071         }
3072         /*
3073          * Set current certificate to one we will use so SSL_get_certificate
3074          * et al can pick it up.
3075          */
3076         s->cert->key = certpkey;
3077         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3078         switch (r) {
3079             /* We don't want to send a status request response */
3080         case SSL_TLSEXT_ERR_NOACK:
3081             s->tlsext_status_expected = 0;
3082             break;
3083             /* status request response should be sent */
3084         case SSL_TLSEXT_ERR_OK:
3085             if (s->tlsext_ocsp_resp)
3086                 s->tlsext_status_expected = 1;
3087             else
3088                 s->tlsext_status_expected = 0;
3089             break;
3090             /* something bad happened */
3091         case SSL_TLSEXT_ERR_ALERT_FATAL:
3092             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3093             al = SSL_AD_INTERNAL_ERROR;
3094             goto err;
3095         }
3096     } else
3097         s->tlsext_status_expected = 0;
3098 
3099     if (!tls1_alpn_handle_client_hello_late(s, &ret, &al)) {
3100         goto err;
3101     }
3102 
3103  err:
3104     switch (ret) {
3105     case SSL_TLSEXT_ERR_ALERT_FATAL:
3106         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3107         return -1;
3108 
3109     case SSL_TLSEXT_ERR_ALERT_WARNING:
3110         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3111         return 1;
3112 
3113     default:
3114         return 1;
3115     }
3116 }
3117 
3118 int ssl_check_serverhello_tlsext(SSL *s)
3119 {
3120     int ret = SSL_TLSEXT_ERR_NOACK;
3121     int al = SSL_AD_UNRECOGNIZED_NAME;
3122 
3123 # ifndef OPENSSL_NO_EC
3124     /*
3125      * If we are client and using an elliptic curve cryptography cipher
3126      * suite, then if server returns an EC point formats lists extension it
3127      * must contain uncompressed.
3128      */
3129     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3130     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3131     if ((s->tlsext_ecpointformatlist != NULL)
3132         && (s->tlsext_ecpointformatlist_length > 0)
3133         && (s->session->tlsext_ecpointformatlist != NULL)
3134         && (s->session->tlsext_ecpointformatlist_length > 0)
3135         && ((alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe))
3136             || (alg_a & SSL_aECDSA))) {
3137         /* we are using an ECC cipher */
3138         size_t i;
3139         unsigned char *list;
3140         int found_uncompressed = 0;
3141         list = s->session->tlsext_ecpointformatlist;
3142         for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
3143             if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) {
3144                 found_uncompressed = 1;
3145                 break;
3146             }
3147         }
3148         if (!found_uncompressed) {
3149             SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,
3150                    SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
3151             return -1;
3152         }
3153     }
3154     ret = SSL_TLSEXT_ERR_OK;
3155 # endif                         /* OPENSSL_NO_EC */
3156 
3157     if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
3158         ret =
3159             s->ctx->tlsext_servername_callback(s, &al,
3160                                                s->ctx->tlsext_servername_arg);
3161     else if (s->initial_ctx != NULL
3162              && s->initial_ctx->tlsext_servername_callback != 0)
3163         ret =
3164             s->initial_ctx->tlsext_servername_callback(s, &al,
3165                                                        s->
3166                                                        initial_ctx->tlsext_servername_arg);
3167 
3168 # ifdef TLSEXT_TYPE_opaque_prf_input
3169     if (s->s3->server_opaque_prf_input_len > 0) {
3170         /*
3171          * This case may indicate that we, as a client, want to insist on
3172          * using opaque PRF inputs. So first verify that we really have a
3173          * value from the server too.
3174          */
3175 
3176         if (s->s3->server_opaque_prf_input == NULL) {
3177             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3178             al = SSL_AD_HANDSHAKE_FAILURE;
3179         }
3180 
3181         /*
3182          * Anytime the server *has* sent an opaque PRF input, we need to
3183          * check that we have a client opaque PRF input of the same size.
3184          */
3185         if (s->s3->client_opaque_prf_input == NULL ||
3186             s->s3->client_opaque_prf_input_len !=
3187             s->s3->server_opaque_prf_input_len) {
3188             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3189             al = SSL_AD_ILLEGAL_PARAMETER;
3190         }
3191     }
3192 # endif
3193 
3194     OPENSSL_free(s->tlsext_ocsp_resp);
3195     s->tlsext_ocsp_resp = NULL;
3196     s->tlsext_ocsp_resplen = -1;
3197     /*
3198      * If we've requested certificate status and we wont get one tell the
3199      * callback
3200      */
3201     if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
3202         && !(s->hit) && s->ctx && s->ctx->tlsext_status_cb) {
3203         int r;
3204         /*
3205          * Call callback with resp == NULL and resplen == -1 so callback
3206          * knows there is no response
3207          */
3208         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
3209         if (r == 0) {
3210             al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
3211             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3212         }
3213         if (r < 0) {
3214             al = SSL_AD_INTERNAL_ERROR;
3215             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
3216         }
3217     }
3218 
3219     switch (ret) {
3220     case SSL_TLSEXT_ERR_ALERT_FATAL:
3221         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3222         return -1;
3223 
3224     case SSL_TLSEXT_ERR_ALERT_WARNING:
3225         ssl3_send_alert(s, SSL3_AL_WARNING, al);
3226         return 1;
3227 
3228     case SSL_TLSEXT_ERR_NOACK:
3229         s->servername_done = 0;
3230     default:
3231         return 1;
3232     }
3233 }
3234 
3235 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
3236                                  int n)
3237 {
3238     int al = -1;
3239     if (s->version < SSL3_VERSION)
3240         return 1;
3241     if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) {
3242         ssl3_send_alert(s, SSL3_AL_FATAL, al);
3243         return 0;
3244     }
3245 
3246     if (ssl_check_serverhello_tlsext(s) <= 0) {
3247         SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSL_R_SERVERHELLO_TLSEXT);
3248         return 0;
3249     }
3250     return 1;
3251 }
3252 
3253 /*-
3254  * Since the server cache lookup is done early on in the processing of the
3255  * ClientHello, and other operations depend on the result, we need to handle
3256  * any TLS session ticket extension at the same time.
3257  *
3258  *   session_id: points at the session ID in the ClientHello. This code will
3259  *       read past the end of this in order to parse out the session ticket
3260  *       extension, if any.
3261  *   len: the length of the session ID.
3262  *   limit: a pointer to the first byte after the ClientHello.
3263  *   ret: (output) on return, if a ticket was decrypted, then this is set to
3264  *       point to the resulting session.
3265  *
3266  * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
3267  * ciphersuite, in which case we have no use for session tickets and one will
3268  * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
3269  *
3270  * Returns:
3271  *   -1: fatal error, either from parsing or decrypting the ticket.
3272  *    0: no ticket was found (or was ignored, based on settings).
3273  *    1: a zero length extension was found, indicating that the client supports
3274  *       session tickets but doesn't currently have one to offer.
3275  *    2: either s->tls_session_secret_cb was set, or a ticket was offered but
3276  *       couldn't be decrypted because of a non-fatal error.
3277  *    3: a ticket was successfully decrypted and *ret was set.
3278  *
3279  * Side effects:
3280  *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
3281  *   a new session ticket to the client because the client indicated support
3282  *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
3283  *   a session ticket or we couldn't use the one it gave us, or if
3284  *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
3285  *   Otherwise, s->tlsext_ticket_expected is set to 0.
3286  */
3287 int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
3288                         const unsigned char *limit, SSL_SESSION **ret)
3289 {
3290     /* Point after session ID in client hello */
3291     const unsigned char *p = session_id + len;
3292     unsigned short i;
3293 
3294     *ret = NULL;
3295     s->tlsext_ticket_expected = 0;
3296 
3297     /*
3298      * If tickets disabled behave as if no ticket present to permit stateful
3299      * resumption.
3300      */
3301     if (SSL_get_options(s) & SSL_OP_NO_TICKET)
3302         return 0;
3303     if ((s->version <= SSL3_VERSION) || !limit)
3304         return 0;
3305     if (p >= limit)
3306         return -1;
3307     /* Skip past DTLS cookie */
3308     if (SSL_IS_DTLS(s)) {
3309         i = *(p++);
3310         p += i;
3311         if (p >= limit)
3312             return -1;
3313     }
3314     /* Skip past cipher list */
3315     n2s(p, i);
3316     p += i;
3317     if (p >= limit)
3318         return -1;
3319     /* Skip past compression algorithm list */
3320     i = *(p++);
3321     p += i;
3322     if (p > limit)
3323         return -1;
3324     /* Now at start of extensions */
3325     if ((p + 2) >= limit)
3326         return 0;
3327     n2s(p, i);
3328     while ((p + 4) <= limit) {
3329         unsigned short type, size;
3330         n2s(p, type);
3331         n2s(p, size);
3332         if (p + size > limit)
3333             return 0;
3334         if (type == TLSEXT_TYPE_session_ticket) {
3335             int r;
3336             if (size == 0) {
3337                 /*
3338                  * The client will accept a ticket but doesn't currently have
3339                  * one.
3340                  */
3341                 s->tlsext_ticket_expected = 1;
3342                 return 1;
3343             }
3344             if (s->tls_session_secret_cb) {
3345                 /*
3346                  * Indicate that the ticket couldn't be decrypted rather than
3347                  * generating the session from ticket now, trigger
3348                  * abbreviated handshake based on external mechanism to
3349                  * calculate the master secret later.
3350                  */
3351                 return 2;
3352             }
3353             r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
3354             switch (r) {
3355             case 2:            /* ticket couldn't be decrypted */
3356                 s->tlsext_ticket_expected = 1;
3357                 return 2;
3358             case 3:            /* ticket was decrypted */
3359                 return r;
3360             case 4:            /* ticket decrypted but need to renew */
3361                 s->tlsext_ticket_expected = 1;
3362                 return 3;
3363             default:           /* fatal error */
3364                 return -1;
3365             }
3366         }
3367         p += size;
3368     }
3369     return 0;
3370 }
3371 
3372 /*-
3373  * tls_decrypt_ticket attempts to decrypt a session ticket.
3374  *
3375  *   etick: points to the body of the session ticket extension.
3376  *   eticklen: the length of the session tickets extenion.
3377  *   sess_id: points at the session ID.
3378  *   sesslen: the length of the session ID.
3379  *   psess: (output) on return, if a ticket was decrypted, then this is set to
3380  *       point to the resulting session.
3381  *
3382  * Returns:
3383  *   -1: fatal error, either from parsing or decrypting the ticket.
3384  *    2: the ticket couldn't be decrypted.
3385  *    3: a ticket was successfully decrypted and *psess was set.
3386  *    4: same as 3, but the ticket needs to be renewed.
3387  */
3388 static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
3389                               int eticklen, const unsigned char *sess_id,
3390                               int sesslen, SSL_SESSION **psess)
3391 {
3392     SSL_SESSION *sess;
3393     unsigned char *sdec;
3394     const unsigned char *p;
3395     int slen, mlen, renew_ticket = 0;
3396     unsigned char tick_hmac[EVP_MAX_MD_SIZE];
3397     HMAC_CTX hctx;
3398     EVP_CIPHER_CTX ctx;
3399     SSL_CTX *tctx = s->initial_ctx;
3400     /* Need at least keyname + iv + some encrypted data */
3401     if (eticklen < 48)
3402         return 2;
3403     /* Initialize session ticket encryption and HMAC contexts */
3404     HMAC_CTX_init(&hctx);
3405     EVP_CIPHER_CTX_init(&ctx);
3406     if (tctx->tlsext_ticket_key_cb) {
3407         unsigned char *nctick = (unsigned char *)etick;
3408         int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
3409                                             &ctx, &hctx, 0);
3410         if (rv < 0)
3411             return -1;
3412         if (rv == 0)
3413             return 2;
3414         if (rv == 2)
3415             renew_ticket = 1;
3416     } else {
3417         /* Check key name matches */
3418         if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
3419             return 2;
3420         if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
3421                          tlsext_tick_md(), NULL) <= 0
3422                 || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
3423                                       tctx->tlsext_tick_aes_key,
3424                                       etick + 16) <= 0) {
3425             goto err;
3426        }
3427     }
3428     /*
3429      * Attempt to process session ticket, first conduct sanity and integrity
3430      * checks on ticket.
3431      */
3432     mlen = HMAC_size(&hctx);
3433     if (mlen < 0) {
3434         goto err;
3435     }
3436     eticklen -= mlen;
3437     /* Check HMAC of encrypted ticket */
3438     if (HMAC_Update(&hctx, etick, eticklen) <= 0
3439             || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
3440         goto err;
3441     }
3442     HMAC_CTX_cleanup(&hctx);
3443     if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
3444         EVP_CIPHER_CTX_cleanup(&ctx);
3445         return 2;
3446     }
3447     /* Attempt to decrypt session data */
3448     /* Move p after IV to start of encrypted ticket, update length */
3449     p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3450     eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
3451     sdec = OPENSSL_malloc(eticklen);
3452     if (sdec == NULL
3453             || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
3454         EVP_CIPHER_CTX_cleanup(&ctx);
3455         OPENSSL_free(sdec);
3456         return -1;
3457     }
3458     if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
3459         EVP_CIPHER_CTX_cleanup(&ctx);
3460         OPENSSL_free(sdec);
3461         return 2;
3462     }
3463     slen += mlen;
3464     EVP_CIPHER_CTX_cleanup(&ctx);
3465     p = sdec;
3466 
3467     sess = d2i_SSL_SESSION(NULL, &p, slen);
3468     OPENSSL_free(sdec);
3469     if (sess) {
3470         /*
3471          * The session ID, if non-empty, is used by some clients to detect
3472          * that the ticket has been accepted. So we copy it to the session
3473          * structure. If it is empty set length to zero as required by
3474          * standard.
3475          */
3476         if (sesslen)
3477             memcpy(sess->session_id, sess_id, sesslen);
3478         sess->session_id_length = sesslen;
3479         *psess = sess;
3480         if (renew_ticket)
3481             return 4;
3482         else
3483             return 3;
3484     }
3485     ERR_clear_error();
3486     /*
3487      * For session parse failure, indicate that we need to send a new ticket.
3488      */
3489     return 2;
3490 err:
3491     EVP_CIPHER_CTX_cleanup(&ctx);
3492     HMAC_CTX_cleanup(&hctx);
3493     return -1;
3494 }
3495 
3496 /* Tables to translate from NIDs to TLS v1.2 ids */
3497 
3498 typedef struct {
3499     int nid;
3500     int id;
3501 } tls12_lookup;
3502 
3503 static tls12_lookup tls12_md[] = {
3504     {NID_md5, TLSEXT_hash_md5},
3505     {NID_sha1, TLSEXT_hash_sha1},
3506     {NID_sha224, TLSEXT_hash_sha224},
3507     {NID_sha256, TLSEXT_hash_sha256},
3508     {NID_sha384, TLSEXT_hash_sha384},
3509     {NID_sha512, TLSEXT_hash_sha512}
3510 };
3511 
3512 static tls12_lookup tls12_sig[] = {
3513     {EVP_PKEY_RSA, TLSEXT_signature_rsa},
3514     {EVP_PKEY_DSA, TLSEXT_signature_dsa},
3515     {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
3516 };
3517 
3518 static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
3519 {
3520     size_t i;
3521     for (i = 0; i < tlen; i++) {
3522         if (table[i].nid == nid)
3523             return table[i].id;
3524     }
3525     return -1;
3526 }
3527 
3528 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
3529 {
3530     size_t i;
3531     for (i = 0; i < tlen; i++) {
3532         if ((table[i].id) == id)
3533             return table[i].nid;
3534     }
3535     return NID_undef;
3536 }
3537 
3538 int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
3539                          const EVP_MD *md)
3540 {
3541     int sig_id, md_id;
3542     if (!md)
3543         return 0;
3544     md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
3545                           sizeof(tls12_md) / sizeof(tls12_lookup));
3546     if (md_id == -1)
3547         return 0;
3548     sig_id = tls12_get_sigid(pk);
3549     if (sig_id == -1)
3550         return 0;
3551     p[0] = (unsigned char)md_id;
3552     p[1] = (unsigned char)sig_id;
3553     return 1;
3554 }
3555 
3556 int tls12_get_sigid(const EVP_PKEY *pk)
3557 {
3558     return tls12_find_id(pk->type, tls12_sig,
3559                          sizeof(tls12_sig) / sizeof(tls12_lookup));
3560 }
3561 
3562 const EVP_MD *tls12_get_hash(unsigned char hash_alg)
3563 {
3564     switch (hash_alg) {
3565 # ifndef OPENSSL_NO_MD5
3566     case TLSEXT_hash_md5:
3567 #  ifdef OPENSSL_FIPS
3568         if (FIPS_mode())
3569             return NULL;
3570 #  endif
3571         return EVP_md5();
3572 # endif
3573 # ifndef OPENSSL_NO_SHA
3574     case TLSEXT_hash_sha1:
3575         return EVP_sha1();
3576 # endif
3577 # ifndef OPENSSL_NO_SHA256
3578     case TLSEXT_hash_sha224:
3579         return EVP_sha224();
3580 
3581     case TLSEXT_hash_sha256:
3582         return EVP_sha256();
3583 # endif
3584 # ifndef OPENSSL_NO_SHA512
3585     case TLSEXT_hash_sha384:
3586         return EVP_sha384();
3587 
3588     case TLSEXT_hash_sha512:
3589         return EVP_sha512();
3590 # endif
3591     default:
3592         return NULL;
3593 
3594     }
3595 }
3596 
3597 static int tls12_get_pkey_idx(unsigned char sig_alg)
3598 {
3599     switch (sig_alg) {
3600 # ifndef OPENSSL_NO_RSA
3601     case TLSEXT_signature_rsa:
3602         return SSL_PKEY_RSA_SIGN;
3603 # endif
3604 # ifndef OPENSSL_NO_DSA
3605     case TLSEXT_signature_dsa:
3606         return SSL_PKEY_DSA_SIGN;
3607 # endif
3608 # ifndef OPENSSL_NO_ECDSA
3609     case TLSEXT_signature_ecdsa:
3610         return SSL_PKEY_ECC;
3611 # endif
3612     }
3613     return -1;
3614 }
3615 
3616 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
3617 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
3618                                int *psignhash_nid, const unsigned char *data)
3619 {
3620     int sign_nid = NID_undef, hash_nid = NID_undef;
3621     if (!phash_nid && !psign_nid && !psignhash_nid)
3622         return;
3623     if (phash_nid || psignhash_nid) {
3624         hash_nid = tls12_find_nid(data[0], tls12_md,
3625                                   sizeof(tls12_md) / sizeof(tls12_lookup));
3626         if (phash_nid)
3627             *phash_nid = hash_nid;
3628     }
3629     if (psign_nid || psignhash_nid) {
3630         sign_nid = tls12_find_nid(data[1], tls12_sig,
3631                                   sizeof(tls12_sig) / sizeof(tls12_lookup));
3632         if (psign_nid)
3633             *psign_nid = sign_nid;
3634     }
3635     if (psignhash_nid) {
3636         if (sign_nid == NID_undef || hash_nid == NID_undef
3637                 || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid,
3638                                           sign_nid) <= 0)
3639             *psignhash_nid = NID_undef;
3640     }
3641 }
3642 
3643 /* Given preference and allowed sigalgs set shared sigalgs */
3644 static int tls12_do_shared_sigalgs(TLS_SIGALGS *shsig,
3645                                    const unsigned char *pref, size_t preflen,
3646                                    const unsigned char *allow,
3647                                    size_t allowlen)
3648 {
3649     const unsigned char *ptmp, *atmp;
3650     size_t i, j, nmatch = 0;
3651     for (i = 0, ptmp = pref; i < preflen; i += 2, ptmp += 2) {
3652         /* Skip disabled hashes or signature algorithms */
3653         if (tls12_get_hash(ptmp[0]) == NULL)
3654             continue;
3655         if (tls12_get_pkey_idx(ptmp[1]) == -1)
3656             continue;
3657         for (j = 0, atmp = allow; j < allowlen; j += 2, atmp += 2) {
3658             if (ptmp[0] == atmp[0] && ptmp[1] == atmp[1]) {
3659                 nmatch++;
3660                 if (shsig) {
3661                     shsig->rhash = ptmp[0];
3662                     shsig->rsign = ptmp[1];
3663                     tls1_lookup_sigalg(&shsig->hash_nid,
3664                                        &shsig->sign_nid,
3665                                        &shsig->signandhash_nid, ptmp);
3666                     shsig++;
3667                 }
3668                 break;
3669             }
3670         }
3671     }
3672     return nmatch;
3673 }
3674 
3675 /* Set shared signature algorithms for SSL structures */
3676 static int tls1_set_shared_sigalgs(SSL *s)
3677 {
3678     const unsigned char *pref, *allow, *conf;
3679     size_t preflen, allowlen, conflen;
3680     size_t nmatch;
3681     TLS_SIGALGS *salgs = NULL;
3682     CERT *c = s->cert;
3683     unsigned int is_suiteb = tls1_suiteb(s);
3684     if (c->shared_sigalgs) {
3685         OPENSSL_free(c->shared_sigalgs);
3686         c->shared_sigalgs = NULL;
3687         c->shared_sigalgslen = 0;
3688     }
3689     /* If client use client signature algorithms if not NULL */
3690     if (!s->server && c->client_sigalgs && !is_suiteb) {
3691         conf = c->client_sigalgs;
3692         conflen = c->client_sigalgslen;
3693     } else if (c->conf_sigalgs && !is_suiteb) {
3694         conf = c->conf_sigalgs;
3695         conflen = c->conf_sigalgslen;
3696     } else
3697         conflen = tls12_get_psigalgs(s, &conf);
3698     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
3699         pref = conf;
3700         preflen = conflen;
3701         allow = c->peer_sigalgs;
3702         allowlen = c->peer_sigalgslen;
3703     } else {
3704         allow = conf;
3705         allowlen = conflen;
3706         pref = c->peer_sigalgs;
3707         preflen = c->peer_sigalgslen;
3708     }
3709     nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
3710     if (nmatch) {
3711         salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
3712         if (!salgs)
3713             return 0;
3714         nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
3715     } else {
3716         salgs = NULL;
3717     }
3718     c->shared_sigalgs = salgs;
3719     c->shared_sigalgslen = nmatch;
3720     return 1;
3721 }
3722 
3723 /* Set preferred digest for each key type */
3724 
3725 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize)
3726 {
3727     CERT *c = s->cert;
3728     /* Extension ignored for inappropriate versions */
3729     if (!SSL_USE_SIGALGS(s))
3730         return 1;
3731     /* Should never happen */
3732     if (!c)
3733         return 0;
3734 
3735     if (c->peer_sigalgs)
3736         OPENSSL_free(c->peer_sigalgs);
3737     c->peer_sigalgs = OPENSSL_malloc(dsize);
3738     if (!c->peer_sigalgs)
3739         return 0;
3740     c->peer_sigalgslen = dsize;
3741     memcpy(c->peer_sigalgs, data, dsize);
3742     return 1;
3743 }
3744 
3745 int tls1_process_sigalgs(SSL *s)
3746 {
3747     int idx;
3748     size_t i;
3749     const EVP_MD *md;
3750     CERT *c = s->cert;
3751     TLS_SIGALGS *sigptr;
3752     if (!tls1_set_shared_sigalgs(s))
3753         return 0;
3754 
3755 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
3756     if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
3757         /*
3758          * Use first set signature preference to force message digest,
3759          * ignoring any peer preferences.
3760          */
3761         const unsigned char *sigs = NULL;
3762         if (s->server)
3763             sigs = c->conf_sigalgs;
3764         else
3765             sigs = c->client_sigalgs;
3766         if (sigs) {
3767             idx = tls12_get_pkey_idx(sigs[1]);
3768             md = tls12_get_hash(sigs[0]);
3769             c->pkeys[idx].digest = md;
3770             c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3771             if (idx == SSL_PKEY_RSA_SIGN) {
3772                 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3773                     CERT_PKEY_EXPLICIT_SIGN;
3774                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3775             }
3776         }
3777     }
3778 # endif
3779 
3780     for (i = 0, sigptr = c->shared_sigalgs;
3781          i < c->shared_sigalgslen; i++, sigptr++) {
3782         idx = tls12_get_pkey_idx(sigptr->rsign);
3783         if (idx > 0 && c->pkeys[idx].digest == NULL) {
3784             md = tls12_get_hash(sigptr->rhash);
3785             c->pkeys[idx].digest = md;
3786             c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
3787             if (idx == SSL_PKEY_RSA_SIGN) {
3788                 c->pkeys[SSL_PKEY_RSA_ENC].valid_flags =
3789                     CERT_PKEY_EXPLICIT_SIGN;
3790                 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
3791             }
3792         }
3793 
3794     }
3795     /*
3796      * In strict mode leave unset digests as NULL to indicate we can't use
3797      * the certificate for signing.
3798      */
3799     if (!(s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)) {
3800         /*
3801          * Set any remaining keys to default values. NOTE: if alg is not
3802          * supported it stays as NULL.
3803          */
3804 # ifndef OPENSSL_NO_DSA
3805         if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
3806             c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
3807 # endif
3808 # ifndef OPENSSL_NO_RSA
3809         if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) {
3810             c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
3811             c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
3812         }
3813 # endif
3814 # ifndef OPENSSL_NO_ECDSA
3815         if (!c->pkeys[SSL_PKEY_ECC].digest)
3816             c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
3817 # endif
3818     }
3819     return 1;
3820 }
3821 
3822 int SSL_get_sigalgs(SSL *s, int idx,
3823                     int *psign, int *phash, int *psignhash,
3824                     unsigned char *rsig, unsigned char *rhash)
3825 {
3826     const unsigned char *psig = s->cert->peer_sigalgs;
3827     if (psig == NULL)
3828         return 0;
3829     if (idx >= 0) {
3830         idx <<= 1;
3831         if (idx >= (int)s->cert->peer_sigalgslen)
3832             return 0;
3833         psig += idx;
3834         if (rhash)
3835             *rhash = psig[0];
3836         if (rsig)
3837             *rsig = psig[1];
3838         tls1_lookup_sigalg(phash, psign, psignhash, psig);
3839     }
3840     return s->cert->peer_sigalgslen / 2;
3841 }
3842 
3843 int SSL_get_shared_sigalgs(SSL *s, int idx,
3844                            int *psign, int *phash, int *psignhash,
3845                            unsigned char *rsig, unsigned char *rhash)
3846 {
3847     TLS_SIGALGS *shsigalgs = s->cert->shared_sigalgs;
3848     if (!shsigalgs || idx >= (int)s->cert->shared_sigalgslen)
3849         return 0;
3850     shsigalgs += idx;
3851     if (phash)
3852         *phash = shsigalgs->hash_nid;
3853     if (psign)
3854         *psign = shsigalgs->sign_nid;
3855     if (psignhash)
3856         *psignhash = shsigalgs->signandhash_nid;
3857     if (rsig)
3858         *rsig = shsigalgs->rsign;
3859     if (rhash)
3860         *rhash = shsigalgs->rhash;
3861     return s->cert->shared_sigalgslen;
3862 }
3863 
3864 # ifndef OPENSSL_NO_HEARTBEATS
3865 int tls1_process_heartbeat(SSL *s)
3866 {
3867     unsigned char *p = &s->s3->rrec.data[0], *pl;
3868     unsigned short hbtype;
3869     unsigned int payload;
3870     unsigned int padding = 16;  /* Use minimum padding */
3871 
3872     if (s->msg_callback)
3873         s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
3874                         &s->s3->rrec.data[0], s->s3->rrec.length,
3875                         s, s->msg_callback_arg);
3876 
3877     /* Read type and payload length first */
3878     if (1 + 2 + 16 > s->s3->rrec.length)
3879         return 0;               /* silently discard */
3880     hbtype = *p++;
3881     n2s(p, payload);
3882     if (1 + 2 + payload + 16 > s->s3->rrec.length)
3883         return 0;               /* silently discard per RFC 6520 sec. 4 */
3884     pl = p;
3885 
3886     if (hbtype == TLS1_HB_REQUEST) {
3887         unsigned char *buffer, *bp;
3888         int r;
3889 
3890         /*
3891          * Allocate memory for the response, size is 1 bytes message type,
3892          * plus 2 bytes payload length, plus payload, plus padding
3893          */
3894         buffer = OPENSSL_malloc(1 + 2 + payload + padding);
3895         if (buffer == NULL)
3896             return -1;
3897         bp = buffer;
3898 
3899         /* Enter response type, length and copy payload */
3900         *bp++ = TLS1_HB_RESPONSE;
3901         s2n(payload, bp);
3902         memcpy(bp, pl, payload);
3903         bp += payload;
3904         /* Random padding */
3905         if (RAND_pseudo_bytes(bp, padding) < 0) {
3906             OPENSSL_free(buffer);
3907             return -1;
3908         }
3909 
3910         r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer,
3911                              3 + payload + padding);
3912 
3913         if (r >= 0 && s->msg_callback)
3914             s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
3915                             buffer, 3 + payload + padding,
3916                             s, s->msg_callback_arg);
3917 
3918         OPENSSL_free(buffer);
3919 
3920         if (r < 0)
3921             return r;
3922     } else if (hbtype == TLS1_HB_RESPONSE) {
3923         unsigned int seq;
3924 
3925         /*
3926          * We only send sequence numbers (2 bytes unsigned int), and 16
3927          * random bytes, so we just try to read the sequence number
3928          */
3929         n2s(pl, seq);
3930 
3931         if (payload == 18 && seq == s->tlsext_hb_seq) {
3932             s->tlsext_hb_seq++;
3933             s->tlsext_hb_pending = 0;
3934         }
3935     }
3936 
3937     return 0;
3938 }
3939 
3940 int tls1_heartbeat(SSL *s)
3941 {
3942     unsigned char *buf, *p;
3943     int ret = -1;
3944     unsigned int payload = 18;  /* Sequence number + random bytes */
3945     unsigned int padding = 16;  /* Use minimum padding */
3946 
3947     /* Only send if peer supports and accepts HB requests... */
3948     if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
3949         s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
3950         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
3951         return -1;
3952     }
3953 
3954     /* ...and there is none in flight yet... */
3955     if (s->tlsext_hb_pending) {
3956         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
3957         return -1;
3958     }
3959 
3960     /* ...and no handshake in progress. */
3961     if (SSL_in_init(s) || s->in_handshake) {
3962         SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
3963         return -1;
3964     }
3965 
3966     /*
3967      * Check if padding is too long, payload and padding must not exceed 2^14
3968      * - 3 = 16381 bytes in total.
3969      */
3970     OPENSSL_assert(payload + padding <= 16381);
3971 
3972     /*-
3973      * Create HeartBeat message, we just use a sequence number
3974      * as payload to distuingish different messages and add
3975      * some random stuff.
3976      *  - Message Type, 1 byte
3977      *  - Payload Length, 2 bytes (unsigned int)
3978      *  - Payload, the sequence number (2 bytes uint)
3979      *  - Payload, random bytes (16 bytes uint)
3980      *  - Padding
3981      */
3982     buf = OPENSSL_malloc(1 + 2 + payload + padding);
3983     p = buf;
3984     /* Message Type */
3985     *p++ = TLS1_HB_REQUEST;
3986     /* Payload length (18 bytes here) */
3987     s2n(payload, p);
3988     /* Sequence number */
3989     s2n(s->tlsext_hb_seq, p);
3990     /* 16 random bytes */
3991     if (RAND_pseudo_bytes(p, 16) < 0) {
3992         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3993         goto err;
3994     }
3995     p += 16;
3996     /* Random padding */
3997     if (RAND_pseudo_bytes(p, padding) < 0) {
3998         SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR);
3999         goto err;
4000     }
4001 
4002     ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
4003     if (ret >= 0) {
4004         if (s->msg_callback)
4005             s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
4006                             buf, 3 + payload + padding,
4007                             s, s->msg_callback_arg);
4008 
4009         s->tlsext_hb_pending = 1;
4010     }
4011 
4012 err:
4013     OPENSSL_free(buf);
4014 
4015     return ret;
4016 }
4017 # endif
4018 
4019 # define MAX_SIGALGLEN   (TLSEXT_hash_num * TLSEXT_signature_num * 2)
4020 
4021 typedef struct {
4022     size_t sigalgcnt;
4023     int sigalgs[MAX_SIGALGLEN];
4024 } sig_cb_st;
4025 
4026 static int sig_cb(const char *elem, int len, void *arg)
4027 {
4028     sig_cb_st *sarg = arg;
4029     size_t i;
4030     char etmp[20], *p;
4031     int sig_alg, hash_alg;
4032     if (elem == NULL)
4033         return 0;
4034     if (sarg->sigalgcnt == MAX_SIGALGLEN)
4035         return 0;
4036     if (len > (int)(sizeof(etmp) - 1))
4037         return 0;
4038     memcpy(etmp, elem, len);
4039     etmp[len] = 0;
4040     p = strchr(etmp, '+');
4041     if (!p)
4042         return 0;
4043     *p = 0;
4044     p++;
4045     if (!*p)
4046         return 0;
4047 
4048     if (!strcmp(etmp, "RSA"))
4049         sig_alg = EVP_PKEY_RSA;
4050     else if (!strcmp(etmp, "DSA"))
4051         sig_alg = EVP_PKEY_DSA;
4052     else if (!strcmp(etmp, "ECDSA"))
4053         sig_alg = EVP_PKEY_EC;
4054     else
4055         return 0;
4056 
4057     hash_alg = OBJ_sn2nid(p);
4058     if (hash_alg == NID_undef)
4059         hash_alg = OBJ_ln2nid(p);
4060     if (hash_alg == NID_undef)
4061         return 0;
4062 
4063     for (i = 0; i < sarg->sigalgcnt; i += 2) {
4064         if (sarg->sigalgs[i] == sig_alg && sarg->sigalgs[i + 1] == hash_alg)
4065             return 0;
4066     }
4067     sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
4068     sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
4069     return 1;
4070 }
4071 
4072 /*
4073  * Set suppored signature algorithms based on a colon separated list of the
4074  * form sig+hash e.g. RSA+SHA512:DSA+SHA512
4075  */
4076 int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
4077 {
4078     sig_cb_st sig;
4079     sig.sigalgcnt = 0;
4080     if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
4081         return 0;
4082     if (c == NULL)
4083         return 1;
4084     return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
4085 }
4086 
4087 int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
4088                      int client)
4089 {
4090     unsigned char *sigalgs, *sptr;
4091     int rhash, rsign;
4092     size_t i;
4093     if (salglen & 1)
4094         return 0;
4095     sigalgs = OPENSSL_malloc(salglen);
4096     if (sigalgs == NULL)
4097         return 0;
4098     for (i = 0, sptr = sigalgs; i < salglen; i += 2) {
4099         rhash = tls12_find_id(*psig_nids++, tls12_md,
4100                               sizeof(tls12_md) / sizeof(tls12_lookup));
4101         rsign = tls12_find_id(*psig_nids++, tls12_sig,
4102                               sizeof(tls12_sig) / sizeof(tls12_lookup));
4103 
4104         if (rhash == -1 || rsign == -1)
4105             goto err;
4106         *sptr++ = rhash;
4107         *sptr++ = rsign;
4108     }
4109 
4110     if (client) {
4111         if (c->client_sigalgs)
4112             OPENSSL_free(c->client_sigalgs);
4113         c->client_sigalgs = sigalgs;
4114         c->client_sigalgslen = salglen;
4115     } else {
4116         if (c->conf_sigalgs)
4117             OPENSSL_free(c->conf_sigalgs);
4118         c->conf_sigalgs = sigalgs;
4119         c->conf_sigalgslen = salglen;
4120     }
4121 
4122     return 1;
4123 
4124  err:
4125     OPENSSL_free(sigalgs);
4126     return 0;
4127 }
4128 
4129 static int tls1_check_sig_alg(CERT *c, X509 *x, int default_nid)
4130 {
4131     int sig_nid;
4132     size_t i;
4133     if (default_nid == -1)
4134         return 1;
4135     sig_nid = X509_get_signature_nid(x);
4136     if (default_nid)
4137         return sig_nid == default_nid ? 1 : 0;
4138     for (i = 0; i < c->shared_sigalgslen; i++)
4139         if (sig_nid == c->shared_sigalgs[i].signandhash_nid)
4140             return 1;
4141     return 0;
4142 }
4143 
4144 /* Check to see if a certificate issuer name matches list of CA names */
4145 static int ssl_check_ca_name(STACK_OF(X509_NAME) *names, X509 *x)
4146 {
4147     X509_NAME *nm;
4148     int i;
4149     nm = X509_get_issuer_name(x);
4150     for (i = 0; i < sk_X509_NAME_num(names); i++) {
4151         if (!X509_NAME_cmp(nm, sk_X509_NAME_value(names, i)))
4152             return 1;
4153     }
4154     return 0;
4155 }
4156 
4157 /*
4158  * Check certificate chain is consistent with TLS extensions and is usable by
4159  * server. This servers two purposes: it allows users to check chains before
4160  * passing them to the server and it allows the server to check chains before
4161  * attempting to use them.
4162  */
4163 
4164 /* Flags which need to be set for a certificate when stict mode not set */
4165 
4166 # define CERT_PKEY_VALID_FLAGS \
4167         (CERT_PKEY_EE_SIGNATURE|CERT_PKEY_EE_PARAM)
4168 /* Strict mode flags */
4169 # define CERT_PKEY_STRICT_FLAGS \
4170          (CERT_PKEY_VALID_FLAGS|CERT_PKEY_CA_SIGNATURE|CERT_PKEY_CA_PARAM \
4171          | CERT_PKEY_ISSUER_NAME|CERT_PKEY_CERT_TYPE)
4172 
4173 int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
4174                      int idx)
4175 {
4176     int i;
4177     int rv = 0;
4178     int check_flags = 0, strict_mode;
4179     CERT_PKEY *cpk = NULL;
4180     CERT *c = s->cert;
4181     unsigned int suiteb_flags = tls1_suiteb(s);
4182     /* idx == -1 means checking server chains */
4183     if (idx != -1) {
4184         /* idx == -2 means checking client certificate chains */
4185         if (idx == -2) {
4186             cpk = c->key;
4187             idx = cpk - c->pkeys;
4188         } else
4189             cpk = c->pkeys + idx;
4190         x = cpk->x509;
4191         pk = cpk->privatekey;
4192         chain = cpk->chain;
4193         strict_mode = c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT;
4194         /* If no cert or key, forget it */
4195         if (!x || !pk)
4196             goto end;
4197 # ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
4198         /* Allow any certificate to pass test */
4199         if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
4200             rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
4201                 CERT_PKEY_VALID | CERT_PKEY_SIGN;
4202             cpk->valid_flags = rv;
4203             return rv;
4204         }
4205 # endif
4206     } else {
4207         if (!x || !pk)
4208             return 0;
4209         idx = ssl_cert_type(x, pk);
4210         if (idx == -1)
4211             return 0;
4212         cpk = c->pkeys + idx;
4213         if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
4214             check_flags = CERT_PKEY_STRICT_FLAGS;
4215         else
4216             check_flags = CERT_PKEY_VALID_FLAGS;
4217         strict_mode = 1;
4218     }
4219 
4220     if (suiteb_flags) {
4221         int ok;
4222         if (check_flags)
4223             check_flags |= CERT_PKEY_SUITEB;
4224         ok = X509_chain_check_suiteb(NULL, x, chain, suiteb_flags);
4225         if (ok == X509_V_OK)
4226             rv |= CERT_PKEY_SUITEB;
4227         else if (!check_flags)
4228             goto end;
4229     }
4230 
4231     /*
4232      * Check all signature algorithms are consistent with signature
4233      * algorithms extension if TLS 1.2 or later and strict mode.
4234      */
4235     if (TLS1_get_version(s) >= TLS1_2_VERSION && strict_mode) {
4236         int default_nid;
4237         unsigned char rsign = 0;
4238         if (c->peer_sigalgs)
4239             default_nid = 0;
4240         /* If no sigalgs extension use defaults from RFC5246 */
4241         else {
4242             switch (idx) {
4243             case SSL_PKEY_RSA_ENC:
4244             case SSL_PKEY_RSA_SIGN:
4245             case SSL_PKEY_DH_RSA:
4246                 rsign = TLSEXT_signature_rsa;
4247                 default_nid = NID_sha1WithRSAEncryption;
4248                 break;
4249 
4250             case SSL_PKEY_DSA_SIGN:
4251             case SSL_PKEY_DH_DSA:
4252                 rsign = TLSEXT_signature_dsa;
4253                 default_nid = NID_dsaWithSHA1;
4254                 break;
4255 
4256             case SSL_PKEY_ECC:
4257                 rsign = TLSEXT_signature_ecdsa;
4258                 default_nid = NID_ecdsa_with_SHA1;
4259                 break;
4260 
4261             default:
4262                 default_nid = -1;
4263                 break;
4264             }
4265         }
4266         /*
4267          * If peer sent no signature algorithms extension and we have set
4268          * preferred signature algorithms check we support sha1.
4269          */
4270         if (default_nid > 0 && c->conf_sigalgs) {
4271             size_t j;
4272             const unsigned char *p = c->conf_sigalgs;
4273             for (j = 0; j < c->conf_sigalgslen; j += 2, p += 2) {
4274                 if (p[0] == TLSEXT_hash_sha1 && p[1] == rsign)
4275                     break;
4276             }
4277             if (j == c->conf_sigalgslen) {
4278                 if (check_flags)
4279                     goto skip_sigs;
4280                 else
4281                     goto end;
4282             }
4283         }
4284         /* Check signature algorithm of each cert in chain */
4285         if (!tls1_check_sig_alg(c, x, default_nid)) {
4286             if (!check_flags)
4287                 goto end;
4288         } else
4289             rv |= CERT_PKEY_EE_SIGNATURE;
4290         rv |= CERT_PKEY_CA_SIGNATURE;
4291         for (i = 0; i < sk_X509_num(chain); i++) {
4292             if (!tls1_check_sig_alg(c, sk_X509_value(chain, i), default_nid)) {
4293                 if (check_flags) {
4294                     rv &= ~CERT_PKEY_CA_SIGNATURE;
4295                     break;
4296                 } else
4297                     goto end;
4298             }
4299         }
4300     }
4301     /* Else not TLS 1.2, so mark EE and CA signing algorithms OK */
4302     else if (check_flags)
4303         rv |= CERT_PKEY_EE_SIGNATURE | CERT_PKEY_CA_SIGNATURE;
4304  skip_sigs:
4305     /* Check cert parameters are consistent */
4306     if (tls1_check_cert_param(s, x, check_flags ? 1 : 2))
4307         rv |= CERT_PKEY_EE_PARAM;
4308     else if (!check_flags)
4309         goto end;
4310     if (!s->server)
4311         rv |= CERT_PKEY_CA_PARAM;
4312     /* In strict mode check rest of chain too */
4313     else if (strict_mode) {
4314         rv |= CERT_PKEY_CA_PARAM;
4315         for (i = 0; i < sk_X509_num(chain); i++) {
4316             X509 *ca = sk_X509_value(chain, i);
4317             if (!tls1_check_cert_param(s, ca, 0)) {
4318                 if (check_flags) {
4319                     rv &= ~CERT_PKEY_CA_PARAM;
4320                     break;
4321                 } else
4322                     goto end;
4323             }
4324         }
4325     }
4326     if (!s->server && strict_mode) {
4327         STACK_OF(X509_NAME) *ca_dn;
4328         int check_type = 0;
4329         switch (pk->type) {
4330         case EVP_PKEY_RSA:
4331             check_type = TLS_CT_RSA_SIGN;
4332             break;
4333         case EVP_PKEY_DSA:
4334             check_type = TLS_CT_DSS_SIGN;
4335             break;
4336         case EVP_PKEY_EC:
4337             check_type = TLS_CT_ECDSA_SIGN;
4338             break;
4339         case EVP_PKEY_DH:
4340         case EVP_PKEY_DHX:
4341             {
4342                 int cert_type = X509_certificate_type(x, pk);
4343                 if (cert_type & EVP_PKS_RSA)
4344                     check_type = TLS_CT_RSA_FIXED_DH;
4345                 if (cert_type & EVP_PKS_DSA)
4346                     check_type = TLS_CT_DSS_FIXED_DH;
4347             }
4348         }
4349         if (check_type) {
4350             const unsigned char *ctypes;
4351             int ctypelen;
4352             if (c->ctypes) {
4353                 ctypes = c->ctypes;
4354                 ctypelen = (int)c->ctype_num;
4355             } else {
4356                 ctypes = (unsigned char *)s->s3->tmp.ctype;
4357                 ctypelen = s->s3->tmp.ctype_num;
4358             }
4359             for (i = 0; i < ctypelen; i++) {
4360                 if (ctypes[i] == check_type) {
4361                     rv |= CERT_PKEY_CERT_TYPE;
4362                     break;
4363                 }
4364             }
4365             if (!(rv & CERT_PKEY_CERT_TYPE) && !check_flags)
4366                 goto end;
4367         } else
4368             rv |= CERT_PKEY_CERT_TYPE;
4369 
4370         ca_dn = s->s3->tmp.ca_names;
4371 
4372         if (!sk_X509_NAME_num(ca_dn))
4373             rv |= CERT_PKEY_ISSUER_NAME;
4374 
4375         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4376             if (ssl_check_ca_name(ca_dn, x))
4377                 rv |= CERT_PKEY_ISSUER_NAME;
4378         }
4379         if (!(rv & CERT_PKEY_ISSUER_NAME)) {
4380             for (i = 0; i < sk_X509_num(chain); i++) {
4381                 X509 *xtmp = sk_X509_value(chain, i);
4382                 if (ssl_check_ca_name(ca_dn, xtmp)) {
4383                     rv |= CERT_PKEY_ISSUER_NAME;
4384                     break;
4385                 }
4386             }
4387         }
4388         if (!check_flags && !(rv & CERT_PKEY_ISSUER_NAME))
4389             goto end;
4390     } else
4391         rv |= CERT_PKEY_ISSUER_NAME | CERT_PKEY_CERT_TYPE;
4392 
4393     if (!check_flags || (rv & check_flags) == check_flags)
4394         rv |= CERT_PKEY_VALID;
4395 
4396  end:
4397 
4398     if (TLS1_get_version(s) >= TLS1_2_VERSION) {
4399         if (cpk->valid_flags & CERT_PKEY_EXPLICIT_SIGN)
4400             rv |= CERT_PKEY_EXPLICIT_SIGN | CERT_PKEY_SIGN;
4401         else if (cpk->digest)
4402             rv |= CERT_PKEY_SIGN;
4403     } else
4404         rv |= CERT_PKEY_SIGN | CERT_PKEY_EXPLICIT_SIGN;
4405 
4406     /*
4407      * When checking a CERT_PKEY structure all flags are irrelevant if the
4408      * chain is invalid.
4409      */
4410     if (!check_flags) {
4411         if (rv & CERT_PKEY_VALID)
4412             cpk->valid_flags = rv;
4413         else {
4414             /* Preserve explicit sign flag, clear rest */
4415             cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
4416             return 0;
4417         }
4418     }
4419     return rv;
4420 }
4421 
4422 /* Set validity of certificates in an SSL structure */
4423 void tls1_set_cert_validity(SSL *s)
4424 {
4425     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_ENC);
4426     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_RSA_SIGN);
4427     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DSA_SIGN);
4428     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_RSA);
4429     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_DH_DSA);
4430     tls1_check_chain(s, NULL, NULL, NULL, SSL_PKEY_ECC);
4431 }
4432 
4433 /* User level utiity function to check a chain is suitable */
4434 int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
4435 {
4436     return tls1_check_chain(s, x, pk, chain, -1);
4437 }
4438 
4439 #endif
4440